Lodestar Finance exploited in flash loan attack

Arbitrum-based lending protocol Lodestar Finance was exploited successful a flash indebtedness onslaught connected Dec. 10. According to Lodestar, the attacker manipulated the terms of the plvGLP token earlier borrowing each level liquidity utilizing the inflated token.

In a Twitter thread, Lodestar explained the onslaught flow. The attacker archetypal manipulated the speech complaint of the plvGLP declaration to 1.83 GLP per plvGLP, "an exploit that by itself would beryllium unprofitable", said the company.

Then, the attacker supplied plvGLP collateral to Lodestar and borrowed each disposable liquidity, cashing retired portion of the funds "until the collateralization ratio mechanics prevented a afloat liquidation of the plvGLP."

Following the hack, "several plvGLP holders besides took vantage of the accidental and besides cashed retired astatine 1.83 glp per plvGLP." The hacker was capable to pain a small implicit 3 cardinal successful GLP, making nett connected the "stolen funds connected Lodestar - minus the GLP they burned.", noted the DeFi platform.

The attacker made astir $5.8 cardinal successful profit. Lodestar states that astir 2.8 cardinal of the GLP (about $2.4 million) was recoverable, which should beryllium utilized to repay depositors. The institution is trying to negociate a bug bounty with its exploiter:

— Lodestar Finance (,) (@LodestarFinance) December 10, 2022

The main vulnerability that led to the onslaught is wrong GLPOracle and however it conducts its price. In an analysis, Solidity Finance audit squad said the lawsuit highlighted "that utilizing oracles resistant to manipulation is simply a critically important portion of DeFi, particularly successful protocols which lend retired idiosyncratic assets."

In a statement, governance aggregator PlutusDAO noted that its "products and level functioned precisely arsenic intended done the full event. All funds connected Plutus are wholly safe. The exploit was solely a effect of Lodestar’s oracle implementation." It besides stated:

"We privation to instrumentality work for promoting an unaudited protocol. While the exploit is successful nary mode Plutus’ fault, we admit the information that we were excessively anxious to beforehand a protocol integrating plvGLP. With plvGLP gaining important traction, we’ve wanted to item each plvGLP integrations to our assemblage to stress the adoption and opportunities the integrations person presented some to idiosyncratic users and protocols. For this, we apologize. We jumped the gun, and going guardant we volition nary longer beryllium promoting protocols that are not audited."

The Lodestar onslaught was akin to the Mango Markets exploit connected Oct. 11, when implicit $100 cardinal was stolen done an attacker manipulating terms oracle data, allowing the hackers to instrumentality retired under-collateralized cryptocurrency loans.