LEVEL FINANCE - May 2, 2023


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Level Finance is a decentralized finance (DeFi) platform operating on the BNB Chain that offers users the ability to trade perpetual markets in a non-custodial and decentralized manner. The platform focuses on providing unique risk management features and innovative liquidity solutions, aiming to create an efficient, transparent, and secure financial ecosystem. However, its advanced architecture also exposes vulnerabilities that can be exploited by malicious actors. In this hack analysis, we will explore the Level Finance hack, where $1.1 million in referral rewards were stolen, emphasizing the critical role of security measures and on-chain monitoring in the DeFi space.

    Hack Impact

    The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms. Additionally, the LVL token price crashed by 65% due to the attacker's actions, although it later mostly recovered. This price fluctuation negatively impacted investor and trader confidence, potentially affecting trading volume and market liquidity.

    Level Finance - token price impact

    Level Finance: Hack Explained

    The Level Finance hack occurred due to a bug in the LevelReferralControllerV2 contract. The contract contained a function called "claimMultiple," which was designed to allow users to claim their referral rewards for multiple epochs. However, the function lacked a critical check that would prevent a user from claiming rewards for the same epoch multiple times. The attacker exploited this vulnerability to steal a large amount of LVL tokens, which they later converted into BNB.

    Here is the Break down of the Attack:

    Understanding the Vulnerable Function

    The "claimMultiple" function is like a rewards counter at a store, where customers can redeem their earned points for rewards. However, the counter has a flaw: it doesn't check if a customer has already claimed their reward for the same period (epoch). This allows customers to claim the same reward multiple times.

    Level Finance - Vulnerable function

    Preparing the Attack

    The attacker, acting like a cunning customer, first created many referrals to increase their reward tier (the more referrals, the higher the rewards). Next, they used flash loans to perform dozens of swaps, simulating genuine trading activity and increasing their reward points further.

    Exploiting the Vulnerability

    The attacker visited the flawed rewards counter (the "claimMultiple" function) and claimed referral rewards for the same epoch multiple times, taking advantage of the missing check. This allowed them to drain a large number of LVL tokens from the Level Finance platform.

    Level Finance - exploit

    Cashing Out

    After accumulating 214k LVL tokens, the attacker swapped them for 3,345 BNB, equivalent to approximately $1 million at the time of the hack. This process is akin to the cunning customer exchanging their illegitimately obtained rewards for cash at the store.

    Recommendations for Enhanced Security

    To prevent similar attacks from occurring in the future, it is crucial to implement robust technical mitigation measures. Here are some recommendations to address the vulnerability in the LevelReferralControllerV2 contract:

    Add a Check for Reused Epochs

    Modify the "claimMultiple" function to include a check that prevents users from claiming rewards for the same epoch more than once. This can be achieved by adding a conditional statement that verifies whether the user has already claimed rewards for a specific epoch before processing their claim.

    Example code addition:

    require(users[epoch][msg.sender].claimed == 0, "Reward already claimed for this epoch");

    Improve Auditing and Testing

    Enhance the auditing process by working closely with reputable security firms, ensuring a comprehensive review of the smart contracts. Implement thorough testing, including edge cases and stress tests, to identify any potential vulnerabilities before deployment.

    Monitor On-Chain Activity

    Implement robust on-chain monitoring systems to detect suspicious activities and potential threats in real-time. This can help in identifying and mitigating attacks before they cause significant damage.

    Transaction Analysis 

    Exploiter's Address: 0x70319d1c09e1373fc7b10403...

    This is the address used by the attacker to execute the hack and receive the stolen LVL tokens. By examining the transaction history of this address, we can trace the steps taken by the attacker, including the preparation for the attack and the subsequent token swaps.

    Hack Transaction: 0xe1f25704...

    shows how the attacker used the claimMultiple function to exploit the vulnerability and drain LVL tokens. The transaction reveals that the attacker claimed referral rewards multiple times for the same epoch, resulting in a large number of LVL tokens being transferred to their address.

    LevelReferralControllerV2 Contract: 0x977087422C008233615b572...

    This contract contains the vulnerable claimMultiple function that the attacker exploited. By analyzing the contract's code and interactions with other addresses, we can better understand the nature of the vulnerability and its implications.

    Drained LVL Tokens and Swaps:

    After successfully exploiting the vulnerability, the attacker drained 214k LVL tokens to their address. They then proceeded to swap the LVL tokens for 3,345 BNB, worth approximately $1 million at the time of the hack. The swapping of tokens contributed to the temporary crash in the LVL token price.

    Fund Flow

    Level Finance - Fund Flow (1)
    Level Finance - Fund Flow (2)


    The Level Finance hack highlights the importance of robust security measures and thorough auditing processes for decentralized finance platforms. Despite being a sophisticated DeFi platform with innovative features, Level Finance fell victim to a $1.1 million hack due to a vulnerability in the LevelReferralControllerV2 contract. This incident serves as a reminder that even well-designed platforms can be exposed to significant risks if proper security checks and balances are not in place.

    As DeFi platforms continue to grow in popularity, it is crucial for developers and project teams to prioritize the security of their smart contracts and to learn from incidents like the Level Finance hack. Implementing robust technical mitigations, conducting comprehensive audits, and engaging the community can significantly reduce the risk of security breaches and ensure a safer environment for users.

    In light of this incident, we strongly recommend projects to get their smart contracts audited by reputable security firms such as BlockApex . A thorough audit conducted by experienced professionals can help identify and address vulnerabilities before they can be exploited by malicious actors, ultimately safeguarding the integrity of the platform and its users' assets.

    By taking these important steps, DeFi platforms can continue to innovate and thrive while ensuring the security and trust of their users.

    More Hack Analysis

    Orion Protocol - February 4, 2023

    The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.

    Dforce Network - February 13, 2023

    The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

    HUNDRED FINANCE - April 15, 2023

    On April 15th, 2023, Hundred Finance was hacked, resulting in a loss of approximately $7.4 million USD in various cryptocurrencies. The attacker exploited an integer rounding vulnerability in the platform's contract logic when a market was empty.

    Cream Finance Hack: What Motivates Hackers to Return Stolen Funds?

    From an outsider’s perspective, returning millions of dollars worth of funds after successfully pulling off a complicated exploit is, at best, admirable, and at worst, foolish. What could be the motivation behind such a decision?

    SushiSwap - April 9, 2023

    On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.

    SAFEMOON - March 29, 2023

    Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.

    Jimbo's Protocol - Monday, May 28, 2023

    Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.

    Beanstalk Hack Analysis & POC (Apr 17, 2022)

    Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

    Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

    On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023