SolidityScan
HACK ANALYSIS 2 min read

Level Finance Hack Analysis

Level Finance Hack Analysis

Overview:

On May 1, 2023, Level Finance was exploited due to a business logic issue and incorrect calculation resulting in a total loss of $1.1M

Smart Contract Hack Overview:

Attackers address: 0x70319
Vulnerable contract: 0x9f00f
Attacker Transactions: 0xe1f25

Decoding the Smart Contract Vulnerability:

  • The claim reward was determined by the tier of referral and reward points hence, the exploiter prepared the attack by creating many referrals and using flash loans to make swaps, thereby increasing their reward tier.
  • The attack was caused due to the presence of a logic vulnerability in the “LevelReferralControllerV2” smart contract’s claimMultiple() function, which enabled repeated claims of referral rewards within the same epoch (time period).
  • The claimMultiple() function does not contain a check that the claim’s epoch is not being reused.
  • When claimMultiple() is called claimable() with the same epoch multiple times, the returned value results in an alternating positive sequence, and each number is added to the total reward payout.
  • As a result, 214k LVL was drawn out of the referral contract and converted to 3,345 BNB by the attacker.

Mitigation and Best Practices:

  • The bug was fixed by altering the vulnerable code and changing it to: users[epoch][msg.sender].claimed += reward;
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Sashimi Swap Hack Analysis — Improper Swap & Router Design
DEUS DAO Hack Analysis