Levana Protocol: Analyzing the $1.146 Million Attack

TL;DR

Levana Protocol suffered a significant loss of $1.146 million due to an oracle manipulation attack exacerbated by network congestion and a concurrent DDoS assault. The exploit exploited vulnerabilities in oracle updates and transaction processing, prompting the protocol to compensate users and implement new security measures.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

In a sudden turn of events, Levana Protocol's platform has suffered a significant setback, losing more than $1.1 million, equivalent to roughly 10% of its liquidity, due to an oracle manipulation attack that persisted for nearly two weeks.

The issue, which initially flew under the radar, gained traction as network congestion exacerbated its impact.

According to a disclosure released on Wednesday, the majority of these losses occurred when heightened gas fees on the Osmosis network unexpectedly increased the profitability of the exploit.

The stark escalation in financial damages prompted an immediate response from the protocol's team, leading them to temporarily halt its operations.

The exploit began two weeks ago, gradually siphoning off about 4% of Levana's liquidity pools over a span of 12 days.

Initially, the altered Profit and Loss (PnL) was chalked up to normal trader activities, including inefficiencies in Levana's smaller markets.

However, the situation took a drastic turn yesterday amid congestion on the Osmosis network, with the attacker managing to drain an additional ~5% from the pools before the protocol could be frozen to prevent further losses.

But without the surge in network activity...

Would the breach have gone undetected altogether?

Subscribe to Newsletter Bitcoin

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

Levana's post-mortem reveals that the attack commenced on December 13th, gaining momentum notably on December 26th.

The exploit capitalized on short-lived price disparities (delta) between updates from oracles, targeting "volatile markets with high leverage" to execute profitable trades.

Although the attack method appears straightforward, understanding the context is crucial.

Oracle updates occur during regular user transactions and are also triggered by Levana's off-chain update bot every 90 seconds. By strategically timing their maneuvers and blocking competing transactions, the attackers exploited occasional windows of vulnerability.

Initially, gains were modest as the exploit relied on a specific set of conditions:

Identifying a narrow window where both a substantial price delta occurred within less than 90 seconds and there were no interruptions from other trading or bot activities is crucial for this type of exploit.

The second, more lucrative phase of the attack capitalized on congestion issues within the Osmosis network. It remains unclear whether this congestion was naturally occurring or orchestrated to facilitate the attack.

Regardless of its origin, the congestion created numerous opportunities for the attacker to place highly leveraged bets, effectively blocking regular user transactions. According to the report:

A flaw in the Osmosis fee market code meant that during congestion periods, the provided gas prices were often inadequate for executing trades or conducting routine bot maintenance tasks.

Compounding these challenges, the project faced a persistent DDoS attack for much of the exploit's duration, severely limiting their response capabilities.

The affected markets and their respective losses, totaling $1.146 million, are as follows:

1. stATOM_USD: Loss of $241,000

2. ATOM_USD: Loss of $229,000

3. BTC_USD: Loss of $190,000

4. ETH_USD: Loss of $128,000

5. TIA_USD: Loss of $108,000

6. Other_USDC: Loss of $168,000 and additional $82,000

These figures detail the specific losses incurred across different markets, reflecting the impact of the exploit on Levana Protocol

Carter L. Woetzel's detailed step-by-step analysis highlights the intricate factors influencing the exploit:

1. Flood the network with spam transactions to block oracle update transactions from users or Levana's infrastructure.

2. Launch a Distributed Denial of Service (DDoS) attack targeting backend infrastructure linked to scheduled oracle update transactions.

3. Deploy an intelligent system that monitors the delta (difference) between outdated oracle data and current market prices, ready to execute actions swiftly.

4. Execute a multi-transaction strategy: simultaneously place leveraged long or short positions and update the oracle's stale data to reflect current market prices. This tactic ensures profits for the attacker, leveraging their foresight into the imminent oracle update.

5. Exploit their role in causing network congestion strategically. By submitting transactions precisely where congestion allows, they ensure prioritization by network nodes.

This methodical approach underscores the sophistication and planning involved in the Levana Protocol exploit, demonstrating how multiple strategies were coordinated to maximize gains while minimizing detection and interference.

Subscribe to WAGMI

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

Levana underwent audits by FYEO and Peckshield earlier in the year, but vulnerabilities relying on external factors like network congestion were apparently outside the scope of these assessments.

To mitigate the impact on users, the project plans to reimburse losses through fees and a forthcoming airdrop of LVN tokens. Additionally, they're implementing a transaction queuing system that mandates a fresh oracle price for opening positions.

Even in the decentralized realm of DeFi, protocols are interconnected. They are influenced by factors beyond their immediate control, such as external oracles and network fee structures. Continuous evaluation and careful adjustments are essential to maintain the stability and reliability of the platform.

And with the recent surge in congestion affecting all blockchain networks, every protocol faces the risk of being unexpectedly bogged down.

Savvy attackers could potentially exploit these conditions by pinpointing similar vulnerabilities, patiently awaiting congestion thresholds to peak before striking across multiple fronts.

However, considering the intricate nature of this hack — leveraging network-level strains, protocol logic, and off-chain systems, compounded by a disruptive DDoS attack — one might wonder: Was Levana merely unlucky?

Alternatively, could this incident signify the rise of more sophisticated and time-sensitive attacks in the decentralized space?

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]