DecryptedTech DecryptedTech DecryptedTech DecryptedTech
Wednesday, 03 May 2023 13:34

Level Finance Crypto Finds Out Passing an Audit is not Security the Hard Way

Written by
Level Finance Crypto Finds Out Passing an Audit is not Security the Hard Way

Reading time is around minutes.

There is an old adage that says compliance is not a substitute for security. You can check all the compliance check boxes, pass audits, and still end up with an insecure environment. Level Finance Crypto found this out the hard way after they were hacked due to a vulnerability in how some of their smart contracts were set up, despite passing more than one IT Security Audit.

It seems that an as yet to be named group identified the flaw in the smart contact and after exploiting it, they were able to offload 214,000 LVL tokens from the exchange and convert that to 3,345 BNB. The value of the theft is in excess of $1 million dollars. Level sent out a quick tweet to let everyone know that the attack did not affect all smart contracts nor the Liquidity Pool or DAO treasury. They also announced that a fix for the flaw would be deployed in 12hours from the tweet (May 1st at 11:54PM) meaning this fix is already in place now. Level has asked their community for input on what to do about the 214k tokens added to circulation and has committed to keeping everyone informed as the investigation into the hack continues.

The flaw in the smart contract has been identified as a logic bug that allowed the attacker to claim referral rewards repeatedly within the same period of time. The attacker set up multiple referral accounts, which each had multiple referrals. They also leveraged flashloan to allow them to perform multiple swaps and amplify the referral reward when swapping from one token to another. This netted a reward for each swap. The investigation has identified that the attack tried to do this multiple times prior to the theft on May 1st but failed. They eventually found the right steps though and, for now, walked away with more than $1 million.

Level is not the first company to find out that Audits and Assessments do not mean security, especially in the banking and finance world. These tools can be effective, but they are only a review of the policies and practices you use in setting up your security and ensure that you have proper controls in place to deal with the basics of security. Then again far too many crypto groups do not practice secure development lifecycle (SDLC) practices and many Auditors are not as knowledgeable on this topic to truly cover it properly. Passing an audit or an assessment does not mean you have a mature security environment, you can pass many audits and assessments with just the bare minimum, not to mention careful wording in your scope can also leave you nowhere near secure, just compliant.

 

Read 416 times
Published in News
Tagged under
Sean Kalinich

Latest from Sean Kalinich

Related items

More in this category: « ChatGPT Might get a Private Option for Business According to Microsoft Double DLL Sideloading, it’s a Thing as Attackers Grow More Sophisticated »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Follow Us

  • Follow Us

    Follow DecryptedTech on Social Media

    facebook twitter linkedin