Level Finance, a BNB Chain-based decentralized perpetual exchange, saw an exploit on one of its smart contracts.
In a Twitter announcement on Tuesday, the project notified its followers about an exploit that drained 214,000 of its native LVL tokens, valued at around $1 million at the time of writing.
An exploit targeted our Referral Controller Contract.
– 214k LVL tokens drained to exploiters address.
– Attacker swapped LVL to 3,345 BNB
– Exploit was isolated from other contracts.
– Fix to be deployed in 12 Hrs.
– LP's and DAO treasury UNAFFECTED.More details to follow.
— LEVEL Finance #RealYield (@Level__Finance) May 1, 2023
Level Finance said that exploit was isolated to its Referral Controller Contract and planned to deploy a fix in the next 12 hours.
According to an analysis of the exploit from blockchain security firm PeckShield, the contract had a bug that allowed repeated referral claims from the same epoch. The attacker managed to drain the LVL tokens and swap them for 3,345 BNB tokens.
A separate analysis from security firm DeDotFi suggests that the attacker created the unverified contract seven days ago. The firm also relayed a message from the Level Finance team that claims the exploit was stopped because the referral program has been temporarily shut down.
Level Finance’s smart contracts were audited by blockchain auditing firm Obelisk, that published a detailed report on the risks and issues posed by the project in January. The auditing firm flagged two high-risk issues that remained open at the time of the audit – no maximum capacity on swaps and missing contracts and functions.
At the time, Obelisk said that interactions with the ReferralController contract could cause unexpected problems. The firm said that there was a risk for re-entrancy issues depending on how the contract was used.
“The referral controller contract is included in the core repository as its not related to trading function. Honestly, we don’t have a clear plan for this feature yet so we leave it something like a placeholder than an actual implementation,” said the Level Finance team in response to Obelisk, adding that they believed this contract was out of the audit scope.