$647 000 USD

NOVEMBER 2021

GLOBAL

LEVER NETWORK

DESCRIPTION OF EVENTS

"Lever is the first AMM-based decentralized margin trading platform on multi-chains, where users can easily earn interest through lending and perform leveraged trading. Powered by its own margin pool and by integrating with external AMM’s like Uniswap, Lever can significantly increase your trade efficiency and asset utilization. With Lever, simplified margin trading and visualized position management are available for traders in the DeFi space."

 

"Lever is an open-source margin trading platform where you can lend, borrow and perform leveraged trading to either buy long/sell short an asset in just one place. For lenders and/or borrowers, you can lend your idle crypto assets to earn interest or use them as collateral to take out loans. And for traders, after making a margin deposit in the margin pool, you will be able to open either long or short positions in a supported asset in Lever with up to 3x leverage."

 

"Lever is basically an open-source margin trading platform where we can lend, borrow and perform leveraged trading to either buy long/sell short an asset in just one place. For lenders/borrowers, we can lend your idle crypto assets to earn interest or use them as collateral to take out loans. For traders,after making a margin deposit in the margin pool, we will be able to open either long or short positions in a supported asset in Lever with up to 3x leverage. The platform makes use of external AMMs like Uniswap to provide surplus liquidity."

 

Lever Finance had two audits from CertiK prior to the attack.

 

"On Nov-26–2021 06:48:42 PM +UTC, a hacker constructed an attack transaction."

 

"We are still checking what happened in the past few hours. Please be patient and wait. We will update the community ASAP." "For the security of the protocol, we have temporary paused LEV mining and also removed liquidities in Sushiswap and Mdex . We will bring them back when the time is right."

 

"#CertiK confirms that a hacker exploited Lever Finance with the flash loan attack on multi-chains."

 

"The attacker could withdraw a certain amount of various tokens (WETH, UNI, USDT, USDC, 1INCH), along with newly minted the same amount of d-tokens."

 

"First, the Lever attack contract A flashloaned 2,100 BNB from PancakeSwap and deposited 2000 BNB on Lever’s BNB vault. It then borrowed 1500 BNB from Lever’s BNB vault and transferred it to Lever attack contract B. The Lever attack contract B deposited 1500 BNB and used it to drain 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89DAI, 64,157.79 BUSD, 54,335.19USDT ,2.8806 BTC, 1,930.01CAKE, 463.0078DOT, and 332.9184 WBNB. (The total loss equals $652941.949 at present market price.)"

 

"The key step is the Lever attack contract A used Lever attack contract B’s 1500 xBNB (which had been collateralized to borrow other assets) to repay the 1500 dBNB it borrowed, by calling the repay() function in our MarginPool.Sol contract." "The contract didn’t check the liabilities of the caller at this step. Thus, the Lever attack contract B was able to repay the attack contract A’s dtoken with its xtoken." "This loophole had been there since the first contract deployment, but was neglected by the team and our third-party auditing partners, until it was exploited by the hacker."

 

"(1) Borrow 20 WETH from DYDX. (2) Transfer borrowed WETH to Lever interest bearing WETH and get an interest-bearing reward for the owner. (3) 20 xWETH and 15.1 dWETH were minted to SuspiciousContract1 through Lever interest-bearing WETH (xWETH). (4) SuspiciousContract1 withdraw remaining WETH(15.1) from Lever interest-bearing WETH. (5) SuspiciousContract1 transfers remaining 15.1 WETH to SuspiciousContract2. (6) SuspiciousContract2 transferred left 15.1 WETH to Lever interest-bearing WETH contract. (7) 15.1 xWETH and 0.726 dWETH(ITx 22) were minted to SuspiciousContract2 through Lever interest-bearing WETH contract. (8) The above steps were repeated for xUSDC/dUSDC , xUSDT/dUSDT/USDT, xUNI/dUNI/UNI, and x1INCH/d1INCH/1INCH."

 

"The ETH version is now up and running. We have reinjected liquidity, you can normally use the protocol now. We will bring back the BSC version soon."

 

As of December 8th, "Lever BSC version is now back online. The reinjection has also been completed. You may now withdraw your deposit or repay your debt. Functions including Lending, Borrowing, Trading & Mining are still temporarily paused till further notice."

 

"As you may have already known, our protocol was recently hacked. A total of 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89DAI, 64,157.79 BUSD, 54,335.19USDT ,2.8806 BTC, 1,930.01CAKE, 463.0078DOT, and 332.9184 WBNB were stolen from our liquidity pool. While we are trying our best to track the hacker and retrieve the funds, we would also like to put forward our compensation plan for the community."

 

"In the following days, we will use our own funds to reinject the exact amount of stolen tokens to the liquidity pool. By then you will be able to withdraw your full deposits. With that said, the Lever team will cover your loss. Of course, before we start the injection, we will need some time to fix the loophole and re-audit the contract. So please kindly wait and thanks for your support & understanding."

Despite two audits by CertiK, the Lever Network's smart contract hot wallet was still vulnerable to exploit due to a missing check. The funds were taken from the hacker. Because there wasn't an extreme amount of loss, the team was able to reimburse the loss from their own wallets.

HOW COULD THIS HAVE BEEN PREVENTED?

We recommend at least 2 audits come from independent experts. However, it's important to understand that smart contract hot wallets can never be certain to be completely secure, and it's best to have most funds in cold storage protected by multi-signature authorization.

 

Check Our Framework For Safe Secure Exchange Platforms

https://mobile.twitter.com/certikorg/status/1464640546610327564 (Jan 7)
Lever Finance (Jan 7)
https://www.dapp.com/app/lever (Jan 7)
Lever | The #1 AMM-Based Decentralized Margin Trading Platform (Jan 7)
What is LEVER - LEVER (Jan 7)
@LeverNetwork Twitter (Jan 7)
@LeverNetwork Twitter (Jan 7)
@LeverNetwork Twitter (Jan 7)
Compensation Plan For The Lever Hack (Jan 7)
@LeverNetwork Twitter (Jan 7)
Full Report Of The Lever Hack (Jan 7)
https://www.dapp.com/article/what-is-lever-and-how-to-use-it (Jan 7)
Address 0x11112f684cb88d43ca0e132e585e882606063fbe | Etherscan (Jan 7)
Contract Address 0xf9d4a280ec140acd1bc8f14dee08e28b8ca7ddeb | Etherscan (Jan 7)
Contract Address 0x79dbe9bbde91a35fa8148a14084979a531fe57ea | Etherscan (Jan 7)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 7)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
https://coinmarketcap.com/currencies/binance-coin/ (Jan 8)
https://coinmarketcap.com/currencies/polkadot-new/historical-data/ (Jan 8)
https://coinmarketcap.com/currencies/pancakeswap/historical-data/ (Jan 8)
https://coinmarketcap.com/currencies/binance-coin/historical-data/ (Jan 7)
https://coinmarketcap.com/currencies/bakerytoken/historical-data/ (Jan 8)
https://coinmarketcap.com/currencies/venus/historical-data/ (Jan 8)
Explained: The Lever Hack (November 2021) - halborn (Jan 8)
https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.