Lodestar Finance exploited in sudden loan onslaught

https://biz.crast.net/lodestar-finance-exploited-in-sudden-loan-onslaught/

Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on 10 December. According to Lodestar, the attacker manipulated the price of the plvGLP token before using the inflated token to borrow all of the platform’s liquidity.

In a Twitter thread, Loadstar Explained Flow of attack The attacker manipulated the exchange rate of the first plvGLP contract to 1.83 GLP per plvGLP, “an exploit that would be unprofitable by itself”, the company said.

Then, the attacker supplied PLVGLP collateral to Lodestar and borrowed all available liquidity “until the Collateralization Ratio mechanism prevented a full liquidation of PLVGLP.”

Following the hack, “several PLVGLP holders also took advantage of the opportunity and redeemed 1.83 GLP per PLVGLP.” The hacker was able to burn a little over 3 million in GLP, “the stolen funds on Lodester – minus the GLP they burned.”, noted the DeFi platform.

The attacker made a profit of around $5.8 million. Loadstar says about ₹2.8 million (about $2.4 million) of GLP was recoverable, which should be used to repay depositors. The company is trying to negotiate the bug bounty with its exploiter:

The main vulnerability of the attack lies inside GLPoracle and how it operates its pricing. In an analysis, the Solidity Finance audit team said the incident highlights that “the use of tamper-resistant oracles is an important part of DeFi, especially in protocols where users lend assets.”

In a statement, governance aggregator PlutusDAO said that its “products and platform functioned exactly as intended throughout the event. All funds on Plutus were completely secure. The exploit was entirely the result of Lodestar’s oracle implementation.” Also said:

“We want to take responsibility for promoting an unaudited protocol. While the exploit is in no way Plutus’ fault, we recognize the fact that we were too eager to promote a protocol that integrates plvGLP. With plvGLP gaining significant traction, we wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities for both individual users and the protocol by the integration. We apologize for this.”

The Lodestar attack was similar to the Mango Markets exploit on October 11, when an attacker stole over $100 million by manipulating price oracle data that allowed hackers to take out low-collateral cryptocurrency loans.