TL;DR#
On May 1, 2023, Level Finance was exploited due to a smart contract vulnerability, resulting in a loss of approximately $1.1 million.
Introduction to Level Finance#
Level Finance is a decentralized and non-custodial perpetual market on the BNB Chain with custom risk management and innovative LP solutions.
Vulnerability Assessment#
The root cause of the vulnerability is a bug that allows multiple referral claims from the same epoch.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The contract has incorrectly set the way in which rewards are calculated using the `claimMultiple` function. Instead of performing a `+=` operation, it just sets the value with an `=` operation, so the same value gets used for deduction over and over again.
function claimMultiple(uint256[] calldata _epoches, address _to) external {
uint256 totalReward;
for (uint256 i = 0; i < _epoches.length; ++i) {
uint256 epoch = _epoches[i];
if (epoch < currentEpoch) {
uint256 reward = claimable(epoch, msg.sender);
if (reward > 0) {
users[epoch][msg.sender].claimed = reward;
totalReward += reward;
emit Claimed(epoch, _to, reward);
}
}
}
LVL.safeTransfer(_to, totalReward);
}
Step 3:
Due to this error, it allowed for repeated referral claims from the same epoch.
Step 4:
The exploiter drained approximately 214k LVL tokens and swapped them into 3,345 BNB, worth approximately $1.1 million. All of the stolen assets are held at this address.
Aftermath#
Following the attack, the team acknowledged the occurrence of the incident. The specifics mention the details of the stolen LVL tokens and that the attacker has swapped them for BNB tokens. The exploit was isolated from other contracts, and a fix for the issue will be deployed shortly. They further mentioned that the liquidity pools and DAO Treasury remained unaffected.
Solution#
It is critical to understand that no security measure is perfect, but implementing rigorous security standards can greatly reduce the risk of all such attacks on DeFi protocols. These standards can aid in identifying and addressing potential attack vectors before they are exploited by attackers. Many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to.
This exploit could have been prevented if proper validation techniques had been used to ensure that all potential attack surfaces had been completely fixed. It is essential that the project team conduct rigorous audit procedures with multiple blockchain security firms to prevent such occurrences.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Level Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source PeckShield
