Levana, a Blockchain-based Protocol, Got Exploited for USD 1 Million in Crypto Hacking

Highlights:

• With Levana, traders can engage in continuous trading of derivative futures assets, speculating on asset prices without regard to expiration dates.
• The team also reported that in addition to the attack, the protocol experienced a daily distributed denial-of-service attack in the run-up, which began on December 17 and continued till December 26.

Levana, a blockchain-based perpetual futures swap protocol, said it had experienced an exploit that caused over USD 1.1 million worth of cryptocurrency tokens to disappear from its liquidity pools.

The incident, which used up roughly ten percent of the reserves, was a major setback for the protocol, according to the administrators, who posted on X, the previous Twitter. It impacted seven wallets that were linked to an oracle—a mechanism by which blockchain protocols link to other systems and enable them to operate in response to external inputs from the real world.

With Levana, traders can engage in continuous trading of derivative futures assets, speculating on asset prices without regard to expiration dates. Levana is a particular kind of blockchain-based financial market. Perpetual futures differ from standard futures contracts because they have no specified expiration date and can be kept indefinitely. To profit from trading these assets amongst themselves, the protocol must keep cryptocurrency token liquidity pools up to date to make dividends.

Administrators conducted a post-mortem on the attack and found that the attacker had exploited the Osmosis blockchain bottleneck, which was produced artificially while the market was stressed. This made it possible for the hackers to manipulate prices, which made the exploit possible. According to Levana, a glitch in the Osmosis fee market code indicates that during congestion hours, “the provided gas price was generally insufficient for making trades or performing ongoing bot maintenance activities.”

According to Levana, the attack happened between December 13 and December 26. Because of congestion that prevented regular users from transacting during that period and prevented the protocol’s bots from interacting with Pyth, the oracle, the hackers were able to launch an attack that drained the liquidity pools.

The team emphasized that Pyth was a significant part of the breach but with no known vulnerability observed. Team Levana said it behaved exactly as per the expectations.

The team also reported that in addition to the attack, the protocol experienced a daily distributed denial-of-service attack in the run-up, which began on December 17 and continued till December 26. That meant the attack was causing instability on the platform, and a large part of the Levana technical team was engaged in addressing it.

“It’s unclear if there’s any relationship between the congestion attack and this string of DDoS attacks. It’s common practice for DDoS attackers to use the DDoS attack as a distraction from a more insidious attack,” the team mentioned.

The team stated that current trader positions and earnings are unaffected and can either be closed or left open. But until an update comes out next week, no new positions will be created, or existing ones will be modified. Furthermore, current deposits are safe against the attack because open positions have been halted.

According to Levana, the attackers’ exploited vulnerability has been patched, and the team is currently testing it. Refunds will also be given to liquidity providers harmed by the exploit during the attack window. “Our main focus now is to get the protocol back online as soon as safely possible with significant learnings from the multistage sequence of the exploit,” Levana said.

Throughout 2023, cryptocurrency protocols, exchanges, and businesses have been prominent targets for hacking vulnerabilities—statistics from De.FI, the Web3 security company that maintains the REKT database, shows that hackers took about two billion dollars of cryptocurrency during many breaches this year. Several noteworthy cyberattacks occurred in November, including the theft of almost USD 100 million from Poloniex, a significant cryptocurrency exchange, USD 50 million from Curve Finance, a decentralized finance protocol, and about USD 200 million from Euler Finance.