Skip to main content
Security

Level Finance Referral Contract Exploited for $1.1 Million in LVL Tokens

A critical business logic flaw in Level Finance's referral contract enabled an attacker to repeatedly claim rewards, underscoring the severe risk of inadequate precondition checks in DeFi protocols.
September 25, 20253 min

A futuristic white and dark gray modular unit is partially submerged in a vibrant blue liquid, with a powerful stream of foamy water actively ejecting from its hexagonal opening. The surrounding liquid exhibits a dynamic, wavy surface, suggesting constant motion and energy within the system
A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Briefing

On May 1, 2023, the Level Finance decentralized exchange experienced a targeted exploit that resulted in the theft of approximately $1.1 million in LVL tokens. The incident stemmed from a critical business logic vulnerability within the LevelReferralControllerV2 smart contract, specifically its claimMultiple() function, which allowed an attacker to repeatedly claim referral rewards within a single epoch. This flaw enabled the malicious actor to drain 214,000 LVL tokens, subsequently swapped for 3,345 BNB, causing a significant 50% devaluation of the LVL token.

The image displays a central, textured blue and white spherical object, encircled by multiple metallic rings. A smooth white sphere floats to its left, while two clear ice-like cubes rest on its upper surface

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface characterized by complex smart contract interactions and the inherent risks of novel protocol designs. A common vulnerability class involves insufficient input validation and flawed business logic, often overlooked even in audited contracts. The Level Finance protocol, despite undergoing two security audits in 2023, exhibited a critical gap in its precondition checks, leaving its referral reward mechanism susceptible to manipulation.

The image displays a highly detailed arrangement of metallic blue mechanical components, forming an intricate system of tubes, gears, and sensor-like elements. Polished surfaces reflect light, highlighting the precise engineering of the central lens-like unit and surrounding mechanisms, all set against a clean white background

Analysis

The incident’s technical mechanics centered on a logic bug within the claimMultiple() function of Level Finance’s LevelReferralControllerV2 smart contract on the BNB Chain. The contract was designed to allow users to claim referral rewards once per epoch; however, it lacked a crucial check to prevent the reuse of an epoch identifier during reward claims. The attacker leveraged this flaw by creating numerous referral accounts and employing flash loans to rapidly increase their reward tier. This preparation enabled them to call the claimMultiple() function multiple times within the same epoch, accumulating unauthorized rewards and ultimately draining approximately $1.1 million in LVL tokens from the protocol.

The image displays a complex, angular structure composed of transparent blue modules and silver-white metallic frames. Fluffy, snow-like material adheres to and partially covers various sections of the blue components

Parameters

  • Protocol Targeted ∞ Level Finance
  • Attack Vector ∞ Business Logic Flaw (Repeated Referral Claims)
  • Vulnerable Component ∞ LevelReferralControllerV2 Smart Contract ( claimMultiple() function)
  • Financial Impact ∞ $1.1 Million
  • Assets Stolen ∞ 214,000 LVL tokens (swapped for 3,345 BNB)
  • BlockchainBNB Chain
  • Date of Exploit ∞ May 1, 2023
  • Token Price Impact ∞ LVL token dropped 50%

A large, textured white sphere with prominent rings, appearing to split open, reveals a vibrant expulsion of numerous small blue and white particles. A smaller, similar sphere is partially visible in the background, also engaged in this particulate dispersion

Outlook

Immediate mitigation involved Level Finance temporarily shutting down its referral program and planning a new contract implementation, underscoring the necessity of swift incident response. This exploit highlights the persistent contagion risk for similar protocols employing complex reward mechanisms without rigorous validation of state changes and precondition checks. The incident reinforces the need for enhanced security best practices, including continuous on-chain monitoring for anomalous transactions and the adoption of formal verification methods beyond traditional audits to identify subtle business logic flaws that can lead to significant financial loss.

The Level Finance exploit serves as a critical reminder that even audited smart contracts can harbor subtle business logic vulnerabilities, demanding continuous vigilance and advanced forensic capabilities to safeguard digital assets.

Signal Acquired from ∞ Bleeping Computer

Micro Crypto News Feeds

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

business logic

Definition ∞ Business logic refers to the set of rules, processes, and operations that define how an organization functions and how its data is managed.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

token

Definition ∞ A token is a unit of value issued by a project on a blockchain, representing an asset, utility, or right.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: