May 4th, 2023
In May 2023, Level Finance was the victim of an attack. The attacker stole an estimated $1.1 million from the project’s referral program.
The Level Finance hack was made possible by failed precondition checks. In theory, the protocol is designed to allow a user to claim a referral reward once per epoch. However, the protocol lacked checks to ensure that an epoch is not being reused by a claim.
The attacker exploited this by performing multiple referrals and using flashloans to increase their reward tier. By reusing the same epoch multiple times, the attacker was able to claim more in rewards than they were entitled to, allowing them to drain $1.1 million from the project.
The Level Finance vulnerability was overlooked in smart contract security audits, but it did demonstrate the potential benefits of on-chain attack monitoring. The exploit was initially attempted a week before the attack, providing ample warning to fix the issue if the initial attempt was detected.
Missing and incorrect precondition checks are a major threat to DeFi protocol security. Learn more about the threat of missing precondition checks in this article.