On November 26, 2021, the Lever DeFi protocol was the victim of a hack.  The attacker took advantage of an oversight in the protocol’s liability calculations to perform a flash loan hack that stole over $652k in tokens.

Inside the Attack

The Lever hack was a flash loan attack involving two malicious smart contracts.  The first contract set up the conditions required for the hack.  Malicious Contract A borrowed 2,100 BNB from PancakeSwap and deposited 2,000 of it into Lever’s BNB vault in exchange for 2,000 interest-bearing BNB (xWBNB).  The contract then borrowed 1,500 in BNB from the Lever BNB vault.

This BNB was then transferred to Malicious Contract B, which deposited it.  In exchange, Malicious Contract B received 32.78 ETH, 1,068.05 BAKE, 167.25 XVS, 1,042.89 DAI, 64,157.79 BUSD, 54,335.19 USDT ,2.8806 BTC, 1,930.01CAKE, 463.0078DOT, and 332.9184 WBNB, which total over $652k.

At this point, Malicious Contract A has 2,000 xWBNB and a debt of 1,500 BNB.  The attacker was able to return the 2,000 xWBNB for interest and used Malicious Contract B’s 2,000 xWBNB, which was already used as collateral in a loan, to repay its debt and extract the 2,000 BNB that it had previously deposited and needed to repay the flash loan.

This hack was possible because Lever’s contract did not check that Malicious Contract B’s xWBNB was not used as collateral in a loan before allowing it to be used to repay Malicious Contract A’s loan.  This oversight allowed Malicious Contract B to spend its collateral to pay off another loan while retaining the tokens loaned to it.

Lessons Learned From the Attack

The Lever attacker took advantage of a vulnerability that existed since the first launch of the protocol.  The project has undergone multiple security audits, but this vulnerability slipped under the radar.

Security audits are vital to detecting vulnerabilities in DeFi projects, but not all vulnerabilities are detected by an audit.  Regular code audits can help to identify those vulnerabilities that might otherwise have slipped through the cracks.

Rob Behnke