Security

Level Finance Referral Contract Exploited for $1.1 Million in LVL Tokens

A critical business logic flaw in Level Finance's referral contract enabled an attacker to repeatedly claim rewards, underscoring the severe risk of inadequate precondition checks in DeFi protocols.
September 25, 20253 min

A close-up view reveals multiple translucent blue gears meshing with silver metallic components, forming an intricate mechanical assembly. The blue gears, with their faceted surfaces, suggest advanced digital processes and programmatic logic
A luminous, intricate digital construct with a central transparent orb pulses with electric blue light. Surrounding it are complex, interlocking geometric components, evoking the architecture of advanced blockchain technology and decentralized networks

Briefing

On May 1, 2023, the Level Finance decentralized exchange experienced a targeted exploit that resulted in the theft of approximately $1.1 million in LVL tokens. The incident stemmed from a critical business logic vulnerability within the LevelReferralControllerV2 smart contract, specifically its claimMultiple() function, which allowed an attacker to repeatedly claim referral rewards within a single epoch. This flaw enabled the malicious actor to drain 214,000 LVL tokens, subsequently swapped for 3,345 BNB, causing a significant 50% devaluation of the LVL token.

A central, white toroidal shape intersects a cluster of blue, crystalline structures, surrounded by luminous white spheres encased in transparent, faceted shells. This abstract representation visualizes a sophisticated cryptographic nexus, likely symbolizing the core architecture of a decentralized ledger technology DLT or a distributed autonomous organization DAO

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface characterized by complex smart contract interactions and the inherent risks of novel protocol designs. A common vulnerability class involves insufficient input validation and flawed business logic, often overlooked even in audited contracts. The Level Finance protocol, despite undergoing two security audits in 2023, exhibited a critical gap in its precondition checks, leaving its referral reward mechanism susceptible to manipulation.

A close-up view reveals a sophisticated metallic device, intricately connected to luminous blue crystalline structures and dark grey cables. The central component features a distinct Ethereum logo, signifying its role within the blockchain ecosystem

Analysis

The incident’s technical mechanics centered on a logic bug within the claimMultiple() function of Level Finance’s LevelReferralControllerV2 smart contract on the BNB Chain. The contract was designed to allow users to claim referral rewards once per epoch; however, it lacked a crucial check to prevent the reuse of an epoch identifier during reward claims. The attacker leveraged this flaw by creating numerous referral accounts and employing flash loans to rapidly increase their reward tier. This preparation enabled them to call the claimMultiple() function multiple times within the same epoch, accumulating unauthorized rewards and ultimately draining approximately $1.1 million in LVL tokens from the protocol.

A translucent blue cube, embodying a digital asset or a critical data payload, is centrally positioned within a segmented white and blue circular mechanism. This abstract representation is superimposed on a detailed electronic circuit board, featuring numerous dark blue square components and fine conductive pathways

Parameters

  • Protocol Targeted → Level Finance
  • Attack Vector → Business Logic Flaw (Repeated Referral Claims)
  • Vulnerable Component → LevelReferralControllerV2 Smart Contract ( claimMultiple() function)
  • Financial Impact → $1.1 Million
  • Assets Stolen → 214,000 LVL tokens (swapped for 3,345 BNB)
  • BlockchainBNB Chain
  • Date of Exploit → May 1, 2023
  • Token Price Impact → LVL token dropped 50%

A detailed close-up reveals a futuristic, mechanical object with a central white circular hub featuring a dark, reflective spherical lens. Numerous blue, faceted, blade-like structures radiate outwards from this central hub, creating a complex, symmetrical pattern against a soft grey background

Outlook

Immediate mitigation involved Level Finance temporarily shutting down its referral program and planning a new contract implementation, underscoring the necessity of swift incident response. This exploit highlights the persistent contagion risk for similar protocols employing complex reward mechanisms without rigorous validation of state changes and precondition checks. The incident reinforces the need for enhanced security best practices, including continuous on-chain monitoring for anomalous transactions and the adoption of formal verification methods beyond traditional audits to identify subtle business logic flaws that can lead to significant financial loss.

The Level Finance exploit serves as a critical reminder that even audited smart contracts can harbor subtle business logic vulnerabilities, demanding continuous vigilance and advanced forensic capabilities to safeguard digital assets.

Signal Acquired from → Bleeping Computer

Micro Crypto News Feeds

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

business logic

Definition ∞ Business logic refers to the set of rules, processes, and operations that define how an organization functions and how its data is managed.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

token

Definition ∞ A token is a unit of value issued by a project on a blockchain, representing an asset, utility, or right.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: