Level Finance: Logic bug — referral reward claimMultiple() epoch not checked for reuse

Level Finance is a BSC-based perpetuals platform. The exploit targeted the contract's function, which processed referral reward claims without checking whether the same epoch had already been claimed.

Occurred 2023-05-01 Loss $1M Status closed

Summary #

Level Finance suffered a Perpetuals DEX on 2023-05-01, resulting in a loss of approximately $1M.

What happened #

Linked factors #

RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the vulnerable implementation was introduced in a post-audit proxy upgrade not committed to the public repo]
RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — vulnerable code introduced via proxy upgrade on April 18, 2023] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]