It seems that an as yet to be named group identified the flaw in the smart contact and after exploiting it, they were able to offload 214,000 LVL tokens from the exchange and convert that to 3,345 BNB. The value of the theft is in excess of $1 million dollars. Level sent out a quick tweet to let everyone know that the attack did not affect all smart contracts nor the Liquidity Pool or DAO treasury. They also announced that a fix for the flaw would be deployed in 12hours from the tweet (May 1st at 11:54PM) meaning this fix is already in place now. Level has asked their community for input on what to do about the 214k tokens added to circulation and has committed to keeping everyone informed as the investigation into the hack continues.
The flaw in the smart contract has been identified as a logic bug that allowed the attacker to claim referral rewards repeatedly within the same period of time. The attacker set up multiple referral accounts, which each had multiple referrals. They also leveraged flashloan to allow them to perform multiple swaps and amplify the referral reward when swapping from one token to another. This netted a reward for each swap. The investigation has identified that the attack tried to do this multiple times prior to the theft on May 1st but failed. They eventually found the right steps though and, for now, walked away with more than $1 million.
Level is not the first company to find out that Audits and Assessments do not mean security, especially in the banking and finance world. These tools can be effective, but they are only a review of the policies and practices you use in setting up your security and ensure that you have proper controls in place to deal with the basics of security. Then again far too many crypto groups do not practice secure development lifecycle (SDLC) practices and many Auditors are not as knowledgeable on this topic to truly cover it properly. Passing an audit or an assessment does not mean you have a mature security environment, you can pass many audits and assessments with just the bare minimum, not to mention careful wording in your scope can also leave you nowhere near secure, just compliant.