Hackers exploited a Stage Finance sensible contract vulnerability to empty 214,000 LVL tokens from the decentralized trade and swapped them for 3,345 BNB, price roughly $1,100,000.

Whereas Stage Finance mentioned the assault didn’t have an effect on its liquidity pool and the DAO treasury, and the exploit was remoted from all different contracts, the LVL token misplaced roughly 50% of its worth instantly after the assault was made recognized.

Level Finance tweet

The corporate has promised to offer updates on the state of affairs as quickly because the investigation reveals extra. The DAO has since launched a proposal asking for votes on how the group ought to deal with the 214K LVL tokens added to circulation by the assault.

Blockchain safety and information analytics firm PeckShield explained that the breached sensible contract, ‘LevelReferralControllerV2,’ had a logic bug within the claimMultiple operate that enables customers to repeatedly declare referral rewards inside the identical epoch (time frame).

Bug in the contract's code
Bug within the contract’s code (PeckShield)

Sensible contract auditor BlockSec has reached the identical conclusion, including that the hacker has tried to use the flaw a number of occasions since final week and failed.

“Particularly, the declare reward was decided by the tier of referral and reward factors, therefore the attacker made the next preparation: 1) creating and setting many referrals; 2) utilizing flashloan to carry out dozens of swap (the reward was up to date within the postSwap operate),” explained BlockSec on Twitter.

The attacker created a number of referral accounts to maximise the rewards they may receive by exploiting the sensible contract bug.

Flashloans (single-transaction borrow and return) had been used to amplify the referral rewards additional, permitting the attacker to carry out dozens of swaps from one token to a different, getting a reward for the motion each time.

Finally, the attacker carried out the proper steps yesterday and launched the hack that made them $1.1 million.

Audited doesn’t imply safe

Though Stage Finance did its greatest to guard property by ordering two audits from unbiased companies, the hacker nonetheless discovered a solution to exploit the code to steal cash utilizing missed bugs.

Nonetheless, whereas Stage Finance was audited twice in 2023, it’s unclear if the weak operate was audited or added afterwards.

Safety audits are neither bulletproof nor ought to they be handled as an assurance of security and safety as we’ve seen a number of occasions prior to now.

Final week, DEX Merlin was compromised resulting from a “main fault within the structural integrity and controls of the platform,” losing $1.82 million that rogue insiders drained from its liquidity pool. This occurred mere days after DEX Merlin announced a profitable audit by blockchain safety agency CertiK.

Final yr, decentralized music platform Audius misplaced $6 million price of tokens after an attacker exploited a flaw in a system that had undergone two in-depth safety assessments from separate auditors because it was launched.