Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10.
Ana Paula Pereira 7 minutes ago Lodestar Finance exploited in flash loan attack
The main vulnerability behind the attack was within GLP oracle and how it conducts its price.
Own this piece of crypto history
Collect this article as NFT
Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of the plvGLP token before borrowing all platform liquidity using the inflated token.
In a Twitter thread, Lodestar explained the attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, “an exploit that by itself would be unprofitable”, said the company.
Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds “until the collateralization ratio mechanism prevented a full liquidation of the plvGLP.”
Following the hack, “several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.” The hacker was able to burn a little over 3 million in GLP, making profit on the “stolen funds on Lodestar - minus the GLP they burned.”, noted the DeFi platform.
The attacker made around $5.8 million in profit. Lodestar states that nearly 2.8 million of the GLP (about $2.4 million) was recoverable, which should be used to repay depositors. The company is trying to negotiate a bug bounty with its exploiter:
The main vulnerability that led to the attack is inside GLPOracle and how it conducts its price. In an analysis, Solidity Finance audit team said the event highlighted “that utilizing oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets.”
In a statement, governance aggregator PlutusDAO noted that its “products and platform functioned exactly as intended through the entire event. All funds on Plutus are completely safe. The exploit was solely a result of Lodestars oracle implementation.” It also stated:
“We want to take responsibility for promoting an unaudited protocol. While the exploit is in no way Plutus‘ fault, we recognize the fact that we were too eager to promote a protocol integrating plvGLP. With plvGLP gaining significant traction, we’ve wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities the integrations have presented both to individual users and protocols. For this, we apologize. We jumped the gun, and going forward we will no longer be promoting protocols that are not audited.”
The Lodestar attack was similar to the Mango Markets exploit on Oct. 11, when over $100 million was stolen through an attacker manipulating price oracle data, allowing the hackers to take out under-collateralized cryptocurrency loans.
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Gemini Trust: Gemini Earn Users to Receive 100% Physical Digital Asset Returns Pending Court Approva
Arkham: US Government Transfers Over $1 Billion in Bitcoin from Confiscated Bitfinex Hacker Funds
Hong Kong Halts Applications for Virtual Asset Trading Platform Licenses
21Shares Integrates Chainlink Reserve Proof to Enhance Transparency of ARK 21Shares Bitcoin ETF ARKB
Pig-Butchering Scams Net More Than $75 Billion, Study Finds
Token Unlocks: Major Unlocking of Tokens ARB, SUI, APT, and Others in March
Bitcoin Magazine: Three Conditions Bitcoin Layer 2 Standards Must Fulfill
Binance Registered Users Surpass 178 Million, Records Net Inflows Exceeding $3 Billion in the Past 3