A “claim multiple” bug in Level Finance’s smart contract allowed an attacker to steal over 214,000 LVL tokens, worth more than $1 million.
Decentralized exchange, Level Finance, disclosed a security breach on Twitter where an attacker stole more than $1 million in the exchange’s native token, Level Finance (LVL).
The exchange revealed that the attacker took advantage of a “claim multiple” bug in its “LevelReferralControllerV2” smart contract, allowing the attacker to make multiple referrals claims from the same epoch. The attack resulted in over 214,000 LVL tokens being drained and swapped into 3,345 Binance Coin (BNB) with an approximate value of $1.01 million.
Peckshield, a blockchain security firm, confirmed that the smart contract contained the bug, and Level Finance acknowledged it in a later statement. Despite the attack, Level Finance assured its users that its liquidity pools and related DAOs were not affected.
The exchange also stated that a new implementation of the referral contract will be deployed within the next 12 hours to prevent future incidents.
Level Finance reported that it had temporarily shut down its referral program, which halted the exploit. The team is currently investigating the incident and has promised to provide a post mortem soon.