Remediation for Referral reward exploit

Referral Controller Contract Remediation

Due to recent updates in Level’s incentive mechanism, a bug was introduced into the Referral Controller Contract within the claimMultiple() function on the following line:

users[epoch][msg.sender].claimed = reward;

It should instead be

users[epoch][msg.sender].claimed += reward;

When claimMultiple() calls claimable() with the same epoch multiple times, the returned value resulted in an alternating positive sequence, each number being added to the total reward payout.

As a result, 214k LVL was siphoned out of the referral contract and converted to 3,345 BNB by the attacker. Steps have already been taken to secure the contract and a fix will be pushed once the timelock expires. We accept full responsibility.

Given that the full extent of the exploit resulted in the introduction of 214k LVL being added to the circulating supply, we would like to introduce the following proposal to minimize impact to Level’s community of users. Please vote on the combination of action steps that you think would generate the most durable value for the community as a whole:

1. The team will commit 2 LGO from the team wallet and conduct a special auction(s) in an effort to diminish the amount of LVL introduced by burning it at the end of the auction. Given that no additional LGO will be introduced as the result of this, Treasury value will not be affected as no dilution would result from this auction.

2. The majority of the users affected by this exploit were the ones who unstaked their LVL tokens and panic sold in anticipation of the attacker selling. This resulted in the bulk of the price action that ensued, and as the LVL token price recovered, some of the panic dumpers were not able to buy back LVL tokens at the price they sold, which resulted in trading losses. We neither have the desire nor the ability to prevent token holders from selling. But if the community so wishes, we can also create a special LVL auction up to the amount of the exploit (214k), where the price will start at 0$, and the purchased LVL tokens will be vested over 365 days.

3. The purpose of the DAO’s Treasury is not purely for-profit capture. It is a vehicle that is meant to facilitate essential functions within the Level ecosystem, and when necessary come to the support of Level’s community of users. If the community so wishes, the Treasury can either commit to buying up to 214k LVL and keeping it within the Treasury’s balance or burning 214k LVL out of the treasury directly. Not unlike the feds, the DAO has incredible holding power. Net net this also has no impact to the Treasury over the long run. (Should this option be chosen, a follow on vote will decide whether to buyback or straight up burn)

Going forward, the Level team will place an even greater emphasis on DevOps and OPSEC. We have engaged the Quantstamp team in a continuous capacity to conduct real time security reviews on all contract upgrades. Given the sheer volume as well as complexity of LEVEL’s code-base along with our speed of development, this has unfortunately been an ongoing challenge. Nevertheless, steps will be taken to minimize future attacks. As with any project pioneering a new field, it comes with inherent risks along with trade-offs. Please bear with us as we learn. Together we will iteratively improve the protocol. In time the Level community will own one of the most significant assets within the industry.

VOTING OPTIONS

a) 1 only b) 2 only c) 3 only d) 1 and 2 only e) 1 and 3 only f) 2 and 3 only g) 1, 2 and 3

ELIGIBILITY

Only LGO token holders are eligible to vote.