Hacker drains $1.1 million from Levana Protocol liquidity pools

Levana’s perpetual-swap platform on the Osmosis blockchain was hit by an attack, resulting in attackers draining liquidity pools crypto assets worth $1.1 million.

Important Update on Levana’s Security Situation!

There was an oracle attack on Levana impacting ~10% of the LP. The issue has been fixed and opening positions will relaunch next week. Trader profits, closing positions, withdraws and trigger orders are working as expected.

— Levana Protocol (@Levana_protocol) December 27, 2023

From December 13 to 26, attackers seized 10% of the DeFi protocol’s liquidity, exploiting network congestion that hindered traders’ ability to interact with the markets. The situation was exacerbated by an integration bug with price oracle Pyth, which allowed attackers to manipulate prices and drain the pools.

«A bug in the Osmosis market-fee code meant that during congestion the gas price provided was largely insufficient to complete trades or perform bot maintenance activities», — пояснили Levana’s developers.

According to them, there are no vulnerabilities in the Pyth price oracle itself — it behaved exactly as expected.

The developers added that current trading positions were not affected, despite the exploit. However, opening new trades, as well as modifying existing ones, are suspended until the update is deployed next week.

Levana plans to compensate losses to affected liquidity providers through airdrop and the distribution of fees collected by the protocol during the incident.

On December 16, unknown attacked the old smart contracts of the NFT Trader P2P platform and drained $3 million worth of non-fungible tokens.

Later, the Telcoin project lost $1.3 million due to the exploit, after which the TEL token price fell by 40%. Also was hacked for $190,000, a decentralised trading platform Thunder Terminal.