Cybersecurity and Crypto
Crypto Compromise…Again
by Charles Parker
Everyone is talking about cryptocurrency. Some of this is good with chatter on how much each
may be worth in six months, when they potentially will be multi-millionaires, etc. There also has been
the less than favorable press with the dark web uses of this and ransomware payments (i.e., buzzkill).
While these do hold vast volumes of wealth, there are other significant issues with the technology used.
Recently Binance had a little problem with their bridge. Well, as with most things, this wasn’t the first
and it won’t be the last. Our latest example of “This should be fine. What could go wrong?” involves the
decentralized exchange Level Finance.
What happened now?
With all the compromises in the last couple of years, all I can think is “What happened now?”
and give myself a face-palm. It must be compromise fatigue. They had a little bug/feature with their
code. This was discovered on May 2 nd . The “feature” was exploited and allowed approximately $1M of
its native token (LVL) to be stolen from the platform. Once this was detected, the activities were paused,
and the platform was taken offline. Curiously the issue was announced on Twitter.
Attack Vector
With this fun attack, the vector was the Referral Controller Contract. Of all the different forms
attacks can take, this is one of the newer ones. The post-attack response included a blockchain security
firm being contracted to review the incident.
It turns out the Level Finance Referral Controller Contract V2 had a bug/feature. This allowed
the attacker to mint the coins without depositing any collateral (e.g., money). This allowed for
approximately 214K LVL tokens to be stolen. Once this was done, the attackers traded the LVL into
Finance coins (BNB) worth over $1.1M.
Fix
Obviously, this needed to be fixed ASAP. This is a quick route to the platform to be closed and
bankruptcy filings and court. There have been many breaches in recent years with the cryptocurrencies.
Generally, the compromises have a high dollar value. This draws the attackers in much like blood in the
water drawing the sharks in.
What’s the big deal? There was an error with the code, they fixed it, <sarcasm> the issue won’t
happen again </sarcsasm>, and we are all good. This reaches more to a systemic problem. The Dev
group has their timeline to work with. At times, this isn’t easy to deal with. You still need to code the
updates, and re-scan or test them. There needs to be more emphasis the importance of testing and
follow-up. Security pentesters need the time and scope to do their jobs. When you don’t, you have
issues (e.g., losing $1.1M). They are working to recover the funds, but you know what will probably
happen.
Resources
Ebosele, L. (2023, May 2). DeFi protocol level finance hacked for $1 million.
Hill, T.M. (2023, May 2). Level finance confirms $1M exploit due to buggy smart contract.
contract
Khatri, A. (2023, May 2). Level finance loses over $1M as DeFi hit by yet another hack.
SC Staff. (2023, May 3). Nearly $1.1M stolen in level finance hack.
Shaheen, H. (2023, May 2). Level finance confirms $1M exploit due to buggy smart contract.
Toulas, B. (2023, May 2). Level finance crypto exchange hacked after two security audits.
after-two-security-audits/
</>
About the author-
Charles Parker II has been working in the info sec field for over a decade, in the banking,
medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,
MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security
(ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and
SCADA.
Comments