Blockchain-based Levana Protocol exploited for $1 million+ in crypto hack

The blockchain-based perpetual futures swap protocol Levana announced Wednesday that it suffered an exploit that resulted in the loss of about $1.1 million worth of cryptocurrency tokens from its liquidity pools.

According to the administrators, who posted on X, formerly Twitter, the incident was a significant setback for the protocol, draining about 10% of the reserves. It affected seven wallets identified as being attached to an oracle, which is a system used by blockchain protocols to connect to external systems, allowing them to trigger based on real-world inputs.

Levana is a type of blockchain-based financial market that allows users to trade derivative futures assets “perpetually,” allowing traders to speculate on the future price of the assets without an expiration date. Unlike traditional futures contracts, which have set expiration, perpetual futures can be held indefinitely. Traders can swap these assets between themselves for gains and it requires the protocol to maintain liquidity pools of cryptocurrency tokens for payouts.

According to a post-mortem on the attack, the administrators said that the attacker took advantage of congestion on the Osmosis blockchain when the market was under high stress created artificially by an exploit. That allowed the hackers to manipulate prices, which permitted the exploit. According to Levana, a bug in the Osmosis fee market code meant that during times of congestion, “the provided gas price was generally insufficient for making trades or performing ongoing bot maintenance activities.”

Levana said the attack took place between Dec. 13 and Dec. 26. During that time, congestion denied normal customers the ability to transact and the protocol’s bots were unable to interact with its oracle, named Pyth, which allowed the hackers to perform an attack that allowed them to drain the liquidity pools.

The team stressed that Pyth was a key part of the attack, but there is no known vulnerability in it. “It behaved exactly as expected,” the Levana team said.

In addition to the attack, the team said that during the lead up the protocol suffered a distributed denial-of-service attack starting on Dec. 17 until Dec. 26 on a daily basis. That meant that a significant portion of the Levana engineering team was dedicated to dealing with that attack, which was generating instability on the platform.

“It’s unclear if there’s any relationship between the congestion attack and this string of DDoS attacks,” the team said. “It’s common practice for DDoS attackers to use the DDoS attack as a distraction from a more insidious attack.”

Existing trader positions and profits remain unaffected and remain open or can be closed, the team said. However, opening or modifying existing positions has been halted until an update next week. And since open positions have been halted, existing deposits are not at risk from the exploit.

The vulnerability exploited by the attackers has been fixed, Levana said, and the team is currently testing it. Any liquidity providers who have been impacted by the exploit during the attack window will be refunded as well. “Our main focus now is to get the protocol back online as soon as safely possible with significant learnings from the multistage sequence of the exploit,” Levana said.

Crypto protocols, exchanges and companies have been major targets of exploits and hackers throughout 2023. According to statistics from De.FI, the Web3 security firm that runs the REKT database, hackers stole around $2 billion worth of crypto during dozens of cyberattacks this year. Some notable hacks included over $100 million stolen from the major cryptocurrency exchange Poloniex in November, $50 million taken from the decentralized finance protocol Curve Finance and almost $200 million stolen from Euler Finance.

Image: Pixabay