Levana, a swap protocol within the Osmosis blockchain ecosystem, suffered a hacking incident resulting in a loss of over $1.1 million from its liquidity pools. A report released by the team revealed that the attack transpired over a span of 13 days, between December 13 and December 26, during which hackers drained about 10% of the protocol’s liquidity pools.
The attackers exploited a congestion attack in the Osmosis ecosystem that hindered Levana users from interacting with the markets. This was due to a flaw in Osmosis’s price market code combined with a price stagnation code in Levana’s integration with the Pyth oracle, enabling the attackers to manipulate prices and deplete the pools. The Levana team commented on the issue, indicating that the Osmosis fee market code’s bug meant that transaction fees provided during peak times were often insufficient for transactions or ongoing bot maintenance activities.
The team clarified that there was no security vulnerability with the Pyth oracle and it performed as expected. Levana is currently working on a fix to upgrade the price code in the ecosystems where the protocol is deployed, including Osmosis, Sei, and Injective networks.
Despite the attack, Levana assured that existing positions and profits within the protocol were not affected. However, new positions and changes to existing ones have been temporarily halted until a planned update next week. Levana aims to compensate affected liquidity providers through an airdrop event and by refunding the protocol fees collected during the attack.
Blockchain technology, while offering significant advantages to users, is also prone to security vulnerabilities that have led to substantial losses for many investors. These hacking incidents necessitate regulatory measures from governments in the blockchain space, and also cause fear and concern among users. The blockchain field, which saw significant interest in 2021, has yet to regain its former appeal, particularly due to security concerns.