Levana, a perpetual swap protocol on the Osmosis blockchain, fell victim to an exploit – resulting in the loss of more than $1.1 million from its liquidity pools.
According to a post-mortem report from the team, the exploit took place over 13 days. Between December 13 and 26, the attackers drained 10% of the liquidity pools on Levana.
Attackers took advantage of a congestion attack on the Osmosis chain, hampering Levana users’ ability to communicate with the markets. This was further exacerbated by a bug in Osmosis’ fee market code and “price steeliness” in Levana’s integration with the Pyth Oracle, which allowed the attackers to manipulate prices and drain the pools.
“A bug in the market code for Osmosis fees meant that during times of congestion, the gas price offered was generally insufficient to make transactions or perform ongoing bot maintenance activities,” says Levana. wrote.
The team clarified that there is no vulnerability with the Pyth oracle, as it “behaved exactly as expected.”
Levana is working on a solution that will be implemented in an upgrade of its code on chains where Levana is offered: Osmosis, Sei and Injective.
It added that existing trading positions and profits remained unaffected despite the exploitation. However, new positions and changes to existing positions have been temporarily halted until a scheduled update next week.
Levana plans to compensate affected liquidity providers via an airdrop and the distribution of collected protocol fees during the attack period.
