Connect with us

Cryptocurrency

Lodestar Finance exploited in a flash loan attack

Avatar

Published

on

Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on December 10, according to Lodestar, the attacker manipulated the price of the plvGLP token before borrowing all of the platform’s liquidity using the inflated token.

In the Twitter thread, Lodestar explained attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, “an exploit that would itself be unprofitable,” the company said.

After that, the attacker provided plvGLP collateral to Lodestar and borrowed all available liquidity, disbursing part of the funds “until the collateral ratio mechanism prevented plvGLP from being fully liquidated.”

Advertisement

After the hack, “many plvGLP holders took advantage of the opportunity and also received 1.83 GLP per plvGLP.” The hacker was able to burn just over 3 million in GLP, making a profit from “the money stolen in Lodestar – minus the GLP they burned.” DeFi platform indicated.

The attacker earned an estimated earnings of around $5.8 million. Lodestar says that approximately 2.8 million GLP (about $2.4 million) was recoverable, which should be used to repay depositors. The company is trying to negotiate bounty for a bug with its exploiter:

The main vulnerability that triggered the attack is inside GLPOracle and how it manages its price. In an analysis, the Solidity Finance audit team said the event highlighted “that the use of tamper-resistant oracles is a very important part of DeFi, especially in protocols that lend user assets.”

Advertisement

In a statement, the PlutusDAO governance aggregator pointed out that “their products and platform work exactly as planned during the entire event. All funds on Plutus are completely safe. The exploits were solely the result of Lodestar’s implementation.” As stated in it:

“We want to take responsibility for promoting an unaudited protocol. While the exploit is by no means Plutus’ fault, we are aware of the fact that we have been very eager to promote a protocol that integrates plvGLP. With plvGLP gaining significant traction, we wanted to highlight all of the integrations of plvGLP plvGLP to our community for emphasizing the adoption and opportunities that the integrations presented to both users and individual protocols. For this, we apologize. We have jumped ahead, and will no longer be able to promote unaudited protocols.”

The Lodestar attack was similar to the Mango Markets exploit on October 11, when More than $100 million has been stolen Through an attacker manipulating the price data of the Oracle, allowing hackers to obtain unsecured cryptocurrency loans.