Level Finance Referral Contract Drained for $1.1 Million in BNB Chain Smart Contract Attack

Decentralized perpetual exchange Level Finance fell victim to a sophisticated smart contract exploit on May 1, 2023, resulting in the theft of 214,000 LVL tokens worth approximately $1.1 million. The attack targeted a vulnerability in the platform’s referral reward system, sending shockwaves through the BNB Chain DeFi ecosystem as Bitcoin traded near $28,680 and Ethereum held at $1,870.

The Exploit Mechanics

The attack centered on Level Finance’s LevelReferralControllerV2 smart contract, specifically a logic bug in the claimMultiple function. Blockchain security firm PeckShield identified that the flaw allowed users to repeatedly claim referral rewards within the same epoch — a time period during which each referral claim should have been limited to one instance.

The attacker’s preparation was methodical and multi-layered. According to an analysis by security firm BlockSec, the hacker first created multiple referral accounts to maximize potential rewards. They then deployed flashloans — single-transaction borrows that must be returned within the same block — to amplify referral reward points. By performing dozens of token swaps through the platform’s postSwap function, each swap updated and increased the attacker’s reward balance.

Once the reward points reached sufficient levels across the manipulated referral accounts, the attacker triggered the claimMultiple function to drain the accumulated LVL tokens. The stolen 214,000 LVL tokens were immediately swapped for 3,345 BNB, valued at approximately $1.1 million at the time of the exploit.

Affected Systems

Level Finance was quick to reassure users that the exploit was isolated to the Referral Controller Contract. The platform confirmed that liquidity providers (LPs) and the DAO treasury remained completely unaffected by the attack. The core trading functionality, order books, and user funds held in trading accounts were not compromised.

However, the market impact was immediate and severe. The LVL token lost roughly 50% of its value within hours of the disclosure, reflecting heightened investor concern about the platform’s security posture despite the contained nature of the breach.

Security firm DeDotFi reported that the attacker had deployed an unverified contract seven days before the successful exploit, suggesting a week-long reconnaissance period. BlockSec noted that the attacker had actually attempted to exploit the same flaw multiple times in the preceding week but failed until refining their approach.

The Mitigation Strategy

Level Finance responded by temporarily shutting down the referral program entirely, cutting off the attack vector at its source. The team committed to deploying a fix within 12 hours of the incident and launched a DAO proposal to determine how the community should handle the 214,000 LVL tokens that were fraudulently added to circulation.

The platform’s response followed established incident management protocols: isolate the affected component, halt the attack vector, communicate transparently with the community, and engage external security auditors for post-mortem analysis. PeckShield, BlockSec, and DeDotFi all published independent analyses of the exploit within hours.

Lessons Learned

The Level Finance incident exposes a critical gap in the DeFi security model: the boundary between audited and unaudited code. Level Finance had undergone two security audits from independent firms in early 2023, including a detailed review by blockchain auditing firm Obelisk published in January. However, the ReferralController contract that was exploited was considered a "placeholder" by the Level Finance team, who stated it was out of the audit scope.

Obelisk had explicitly flagged the referral controller as a risk, noting potential re-entrancy issues depending on how the contract was used. The audit report also highlighted two high-risk issues that remained open: no maximum capacity on swaps and missing contracts and functions. These warnings went unaddressed, and the unaudited placeholder contract became the attack surface.

This pattern is disturbingly common. Just days earlier, DEX Merlin lost $1.82 million in a rogue insider incident mere days after announcing a successful CertiK audit. In 2022, decentralized music platform Audius lost $6 million through a flaw in a system that had passed two independent security assessments.

User Action Required

For users of Level Finance and similar DeFi platforms, this incident reinforces several critical security practices. Always verify which contracts have been audited before interacting with a protocol — the presence of an audit does not guarantee all code has been reviewed. Monitor official project channels for real-time incident updates, and consider withdrawing funds from any platform that discloses a security event until a full post-mortem is published. Diversifying across multiple platforms limits exposure to any single point of failure, particularly for referral programs and auxiliary features that may not receive the same security scrutiny as core trading infrastructure.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with any DeFi protocol.