LEVEL FINANCE - May 2, 2023

Table Of Content



Level Finance is a decentralized finance (DeFi) platform operating on the BNB Chain that offers users the ability to trade perpetual markets in a non-custodial and decentralized manner. The platform focuses on providing unique risk management features and innovative liquidity solutions, aiming to create an efficient, transparent, and secure financial ecosystem. However, its advanced architecture also exposes vulnerabilities that can be exploited by malicious actors. In this hack analysis, we will explore the Level Finance hack, where $1.1 million in referral rewards were stolen, emphasizing the critical role of security measures and on-chain monitoring in the DeFi space.

Hack Impact

The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms. Additionally, the LVL token price crashed by 65% due to the attacker's actions, although it later mostly recovered. This price fluctuation negatively impacted investor and trader confidence, potentially affecting trading volume and market liquidity.

Level Finance - token price impact

Level Finance: Hack Explained

The Level Finance hack occurred due to a bug in the LevelReferralControllerV2 contract. The contract contained a function called "claimMultiple," which was designed to allow users to claim their referral rewards for multiple epochs. However, the function lacked a critical check that would prevent a user from claiming rewards for the same epoch multiple times. The attacker exploited this vulnerability to steal a large amount of LVL tokens, which they later converted into BNB.

Here is the Break down of the Attack:

Understanding the Vulnerable Function

The "claimMultiple" function is like a rewards counter at a store, where customers can redeem their earned points for rewards. However, the counter has a flaw: it doesn't check if a customer has already claimed their reward for the same period (epoch). This allows customers to claim the same reward multiple times.

Level Finance - Vulnerable function

Preparing the Attack

The attacker, acting like a cunning customer, first created many referrals to increase their reward tier (the more referrals, the higher the rewards). Next, they used flash loans to perform dozens of swaps, simulating genuine trading activity and increasing their reward points further.

Exploiting the Vulnerability

The attacker visited the flawed rewards counter (the "claimMultiple" function) and claimed referral rewards for the same epoch multiple times, taking advantage of the missing check. This allowed them to drain a large number of LVL tokens from the Level Finance platform.

Level Finance - exploit

Cashing Out

After accumulating 214k LVL tokens, the attacker swapped them for 3,345 BNB, equivalent to approximately $1 million at the time of the hack. This process is akin to the cunning customer exchanging their illegitimately obtained rewards for cash at the store.

Recommendations for Enhanced Security

To prevent similar attacks from occurring in the future, it is crucial to implement robust technical mitigation measures. Here are some recommendations to address the vulnerability in the LevelReferralControllerV2 contract:

Add a Check for Reused Epochs

Modify the "claimMultiple" function to include a check that prevents users from claiming rewards for the same epoch more than once. This can be achieved by adding a conditional statement that verifies whether the user has already claimed rewards for a specific epoch before processing their claim.

Example code addition:

require(users[epoch][msg.sender].claimed == 0, "Reward already claimed for this epoch");

Improve Auditing and Testing

Enhance the auditing process by working closely with reputable security firms, ensuring a comprehensive review of the smart contracts. Implement thorough testing, including edge cases and stress tests, to identify any potential vulnerabilities before deployment.

Monitor On-Chain Activity

Implement robust on-chain monitoring systems to detect suspicious activities and potential threats in real-time. This can help in identifying and mitigating attacks before they cause significant damage.

Transaction Analysis 

Exploiter's Address: 0x70319d1c09e1373fc7b10403...

This is the address used by the attacker to execute the hack and receive the stolen LVL tokens. By examining the transaction history of this address, we can trace the steps taken by the attacker, including the preparation for the attack and the subsequent token swaps.

Hack Transaction: 0xe1f25704...

shows how the attacker used the claimMultiple function to exploit the vulnerability and drain LVL tokens. The transaction reveals that the attacker claimed referral rewards multiple times for the same epoch, resulting in a large number of LVL tokens being transferred to their address.

LevelReferralControllerV2 Contract: 0x977087422C008233615b572...

This contract contains the vulnerable claimMultiple function that the attacker exploited. By analyzing the contract's code and interactions with other addresses, we can better understand the nature of the vulnerability and its implications.

Drained LVL Tokens and Swaps:

After successfully exploiting the vulnerability, the attacker drained 214k LVL tokens to their address. They then proceeded to swap the LVL tokens for 3,345 BNB, worth approximately $1 million at the time of the hack. The swapping of tokens contributed to the temporary crash in the LVL token price.

Fund Flow

Level Finance - Fund Flow (1)
Level Finance - Fund Flow (2)


The Level Finance hack highlights the importance of robust security measures and thorough auditing processes for decentralized finance platforms. Despite being a sophisticated DeFi platform with innovative features, Level Finance fell victim to a $1.1 million hack due to a vulnerability in the LevelReferralControllerV2 contract. This incident serves as a reminder that even well-designed platforms can be exposed to significant risks if proper security checks and balances are not in place.

As DeFi platforms continue to grow in popularity, it is crucial for developers and project teams to prioritize the security of their smart contracts and to learn from incidents like the Level Finance hack. Implementing robust technical mitigations, conducting comprehensive audits, and engaging the community can significantly reduce the risk of security breaches and ensure a safer environment for users.

In light of this incident, we strongly recommend projects to get their smart contracts audited by reputable security firms such as BlockApex . A thorough audit conducted by experienced professionals can help identify and address vulnerabilities before they can be exploited by malicious actors, ultimately safeguarding the integrity of the platform and its users' assets.

By taking these important steps, DeFi platforms can continue to innovate and thrive while ensuring the security and trust of their users.

More Audits

Euler Finance (March 14, 2023)

The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.

SAFEMOON - March 29, 2023

Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.

Orion Protocol - February 4, 2023

The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.

Jump DeFi - Audit Report

Jump Defi infrastructure built on NEAR Protocol, a reliable and scalable L1 solution. Jump Defi is a one-stop solution for all core Defi needs on NEAR. Jump ecosystem has a diverse range of revenue-generating products which makes it sustainable.

Yamato Stablecoin Lending - Audit Report (June 20th, 2022)

Yamato Protocol is a crypto-secured stablecoin generator DApp pegged to JPY. Yamato Protocol is a lending decentralized financial application (DeFi) that can generate Japanese Yen stablecoin "CJPY". It is being developed by DeFiGeek Community Japan, a decentralized autonomous organization.

Chainpals Token Audit Report

The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.

Unipilot Farming Audit Report

BlockApex (Auditor) was contracted by Voirstudio (Client) for the purpose of conducting a Smart Contract Audit/Code Review of Unipilot Farming module. This document presents the findings of our analysis which took place on   _9th November 2021___ . 

Blockchain Trilemma: The Three Fighting Factors

Blockchain Trilemma - coined by Vitalik Buterin himself, is a condition in which the blockchain undergoes a compromising stage. It is truly believed that a fully decentralized network can never be scalable and secured at the same time.

Harvest Finance Hack Analysis & POC

Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023