Hackers copied Mango Markets attacker's methods to exploit Lodestar: CertiK

According to a post-mortem investigation provided by CertiK of the $5.8 cardinal Lodestar Finance exploit that occurred connected Dec. 10, 

— Lodestar Finance (,) (@LodestarFinance) December 10, 2022

In a akin instance, CertiK said that Lodestar Finance hackers "artificially pumped the terms of an illiquid collateral plus which they past get against, leaving the protocol with irretrievable debt."

"Despite immoderate of the losses being perchance recoverable, the protocol is functionally insolvent close now, and users are being urged not to repay immoderate loans they person taken out."

The onslaught occurred done a vulnerability successful the PlutusDAO's plvGLP token connected Lodestar. According to its documentation, Lodestar "uses verified, unafraid Chainlink terms feeds for each plus it offers with the objection of plvGLP." Instead, the speech complaint of plvGLP to GLP relied connected full assets divided by full proviso connected Lodestar.

As explained by CertiK, the exploiter archetypal funded their wallet with 1,500 Ether (ETH) connected Dec. 8, who past took retired 8 flashloans for a full of astir $70 cardinal worthy of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) 2 days later. This drove the speech complaint of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was capable to get adjacent much assets from the protocol.

The borrowings rapidly consumed each liquidity connected the platform, starring the hacker transportation the funds retired of Lodestar and leaving users with atrocious debt. It is estimated that the exploiter made a full of $6.9 cardinal successful profits done the onslaught vector.

"While Lodestar is reaching retired to the exploiter successful an effort to negociate a bug bounty ex station facto, the funds are apt to beryllium mostly unrecoverable. In the lack of an security money that tin screen the losses, users of the level carnivore the outgo of the exploit."

CertiK warned that the onslaught "is the effect of flaws successful the protocol's plan alternatively than a bug successful its astute declaration code." The blockchain information steadfast further highlighted that Lodestar launched without an audit, and, therefore, without a third-party reappraisal of its protocol design.