TL;DR#
On May 1, 2023, Level Finance was exploited due to a smart contract vulnerability, resulting in a loss of approximately $1.1 million.
Introduction to Level Finance#
Level Finance is a decentralized and non-custodial perpetual market on the BNB Chain with custom risk management and innovative LP solutions.
Vulnerability Assessment#
The root cause of the vulnerability is a bug that allows multiple referral claims from the same epoch.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The contract has incorrectly set the way in which rewards are calculated using the `claimMultiple` function. Instead of performing a `+=` operation, it just sets the value with an `=` operation, so the same value gets used for deduction over and over again.
function claimMultiple(uint256[] calldata _epoches, address _to) external {
uint256 totalReward;
for (uint256 i = 0; i < _epoches.length; ++i) {
uint256 epoch = _epoches[i];
if (epoch < currentEpoch) {
uint256 reward = claimable(epoch, msg.sender);
if (reward > 0) {
users[epoch][msg.sender].claimed = reward;
totalReward += reward;
emit Claimed(epoch, _to, reward);
}
}
}
LVL.safeTransfer(_to, totalReward);
}
Step 3:
Due to this error, it allowed for repeated referral claims from the same epoch.
Step 4:
The exploiter drained approximately 214k LVL tokens and swapped them into 3,345 BNB, worth approximately $1.1 million. All of the stolen assets are held at this address.
Aftermath#
Following the attack, the team acknowledged the occurrence of the incident. The specifics mention the details of the stolen LVL tokens and that the attacker has swapped them for BNB tokens. The exploit was isolated from other contracts, and a fix for the issue will be deployed shortly. They further mentioned that the liquidity pools and DAO Treasury remained unaffected.
Solution#
The exploitation of Level Finance is a clear example of how a simple smart contract bug can lead to significant losses. Preventing such attacks requires rigorous testing, auditing, and validation of smart contracts, which is paramount in the DeFi space due to their immutable and irreversible nature. However, even the best preventative measures cannot guarantee absolute safety from every potential exploit.
This is where coverage made available by marketplaces like Neptune Mutual can significantly lessen the effects of such incidents. If Level Finance had established a dedicated cover pool with Neptune Mutual before this incident, affected users could have received compensation for their losses promptly, reducing the financial and psychological toll that such an incident can cause.
Neptune Mutual's parametric policies, designed to provide instant payouts as soon as an incident is resolved through the incident resolution system, would have been an invaluable lifeline for the users affected by the Level Finance exploit. Neptune Mutual does not require explicit loss evidence, allowing for an uncomplicated and swift recovery process for victims of such attacks. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
In addition, Neptune Mutual's seasoned security team offers evaluations of platforms for potential vulnerabilities, including DNS and web-based security, frontend and backend security, and intrusion detection and prevention. If Level Finance had taken advantage of these services, this vulnerability could have been identified and rectified before causing any harm.
Reference Source PeckShield
