Level Finance confirms $1M exploit due to buggy smart contract

Decentralized exchange Level Finance has experienced a security breach allowing an attacker to steal more than $1 million of the exchange’s native Level Finance (LVL) token. 

Level Finance informed its 20,000 Twitter followers that more than 214,000 of the exchange’s LVL tokens had been drained and swapped into 3,345 Binance Coin (BNB), with an approximate value of $1.01 million. 

An exploit targeted our Referral Controller Contract.

– 214k LVL tokens drained to exploiters address.
– Attacker swapped LVL to 3,345 BNB
– Exploit was isolated from other contracts.
– Fix to be deployed in 12 Hrs.
– LP’s and DAO treasury UNAFFECTED.

More details to follow.

— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023

According to blockchain security firm Peckshield, Level Finance’s “LevelReferralControllerV2” smart contract contained a bug that allowed for “repeated referral claims” from the same epoch. This was confirmed by Level Finance in a later statement made on Discord.

It seems the @Level__Finance‘s LevelReferralControllerV2 contract has a bug that allows for repeated referral claims from the same epoch. So far 214k LVLs have been drained and swapped into 3,345 BNB (~1M)

Here is an example hack tx: https://t.co/isqHhzFk1Z https://t.co/ikOWx2ezf6 pic.twitter.com/wlr5bFFf0R

— PeckShield Inc. (@peckshield) May 1, 2023

Meanwhile,