Perpetuals trading protocol Levana has fallen victim to an oracle attack, resulting in a loss of $1.14 million.
According to a report from the Levana team, the exploitation happened between December 13th and December 26th, with the assailants siphoning off 10% of Levana’s liquidity pools.
The perpetrators exploited a congestion attack on the Osmosis chain, disrupting the capability of Levana users to engage with the markets.
This was further exacerbated by a flaw in Osmosis’ fee market code and the presence of “price staleness” in Levana’s integration with the Pyth oracle. These vulnerabilities enabled the attackers to manipulate prices and deplete the pools.
“A bug in the Osmosis fee market code meant that during times of congestion, the provided gas price was generally insufficient for making trades or performing ongoing bot maintenance activities,” Levana wrote.
The team noted that there was no known vulnerability in the Pyth oracle despite the attack.
“Though the Pyth oracle is a key part of the attack, there is no known vulnerability in the Pyth oracle,” the team wrote. “It behaved exactly as expected.”
Hackers carry out oracle attacks by manipulating the information provided by an external data source, known as an oracle, with the intention of deceiving smart contracts or blockchain protocols. This manipulation of data from the oracle can lead to incorrect or unintended outcomes in smart contract executions, resulting in financial losses or unauthorized transactions.
The team pinpointed several markets affected by 7 “suspected malicious actors.” It remains uncertain whether additional accounts were involved in the exploit, and if these accounts acted independently or collaboratively.
The amount stolen could have been more if not for Levana’s perpetual swap mechanism utilizing a number of strong guarantees of protocol and trader solvency, the team stated.
“Despite the fact that the attacker was able to manipulate which oracle price updates landed on-chain, they were unable to affect other traders’ positions, profits or even potential profits as well as the locked parts of the liquidity pools,” the team wrote. “In addition, they were limited in the position size they were able to allocate to themselves given the protocol’s delta neutrality limits.”
Levana is actively developing a solution, which will be implemented through a code upgrade across the chains where Levana is available – Osmosis, Sei, and Injective.
The platform reassured users that existing trade positions and profits have not been impacted by the exploit. However, in a precautionary measure, the creation of new positions and modifications to existing ones has been temporarily suspended until the scheduled update next week.
Additionally, Levana has outlined a plan to compensate the affected liquidity providers. The company plans to conduct an airdrop and distribute collected protocol fees from the attack period to those affected.
Enter your email for our Free Daily Newsletter
A quick 3min read about today’s crypto news!
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.