Levana Protocol exploited for over $1 million on Osmosis blockchain
Levana, a perpetual swap protocol on the Osmosis blockchain, fell victim to an exploit — resulting in the loss of over $1.1 million from its liquidity pools.
The exploit occurred over 13 days, according to a post-mortem report provided by the team. Between Dec. 13 and Dec. 26, the attackers drained 10% of the liquidity pools on Levana.
Attackers took advantage of a congestion attack on the Osmosis chain, which hampered the ability of Levana users to interact with the markets. This was compounded by a bug in the fee market code of Osmosis and “price staleness” in Levana’s integration with the Pyth oracle, enabling the attackers to manipulate prices and drain the pools.
“A bug in the Osmosis fee market code meant that during times of congestion, the provided gas price was generally insufficient for making trades or performing ongoing bot maintenance activities,” Levana wrote.
The team clarified that there is no vulnerability with the Pyth oracle as it “behaved exactly as expected.”
Levana is working on a fix that will be deployed in an upgrade of its code on chains where Levana is offered: Osmosis, Sei and Injective.
It added that existing trade positions and profits remained unaffected despite the exploit. However, new positions and modifications to existing ones have been temporarily halted until a scheduled update next week.
Levana plans to compensate affected liquidity providers through an airdrop and the distribution of collected protocol fees during the attack period.