Lodestar Finance exploited in flash loan attack

Published at: Dec. 11, 2022

Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of the plvGLP token before borrowing all platform liquidity using the inflated token.

In a Twitter thread, Lodestar explained the attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company.

Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation of the plvGLP."

Following the hack, "several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP." The hacker was able to burn a little over 3 million in GLP, making profit on the "stolen funds on Lodestar - minus the GLP they burned.", noted the DeFi platform.

The attacker made around $5.8 million in profit. Lodestar states that nearly 2.8 million of the GLP (about $2.4 million) was recoverable, which should be used to repay depositors. The company is trying to negotiate a bug bounty with its exploiter:

If you are the hacker, reach out to us so we can find a white-hat agreement and move on. Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib

— Lodestar Finance (,) (@LodestarFinance) December 10, 2022

The main vulnerability that led to the attack is inside GLPOracle and how it conducts its price. In an analysis, Solidity Finance audit team said the event highlighted "that utilizing oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets."

In a statement, governance aggregator PlutusDAO noted that its "products and platform functioned exactly as intended through the entire event. All funds on Plutus are completely safe. The exploit was solely a result of Lodestar’s oracle implementation." It also stated:

"We want to take responsibility for promoting an unaudited protocol. While the exploit is in no way Plutus’ fault, we recognize the fact that we were too eager to promote a protocol integrating plvGLP. With plvGLP gaining significant traction, we’ve wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities the integrations have presented both to individual users and protocols. For this, we apologize. We jumped the gun, and going forward we will no longer be promoting protocols that are not audited."

The Lodestar attack was similar to the Mango Markets exploit on Oct. 11, when over $100 million was stolen through an attacker manipulating price oracle data, allowing the hackers to take out under-collateralized cryptocurrency loans.

Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Force token sees volatile 24 hours following coordinated attack on ForceDAO
Hackers made off with 183 Ether (ETH), worth roughly $386,000 at the time of writing, following a coordinated attack on DeFi platform ForceDAO Sunday. Following an initial sell-off, ForceDAO’s native Force token was in recovery mode on Monday, capping off a highly volatile 24 hours for the newly launched project. ForceDAO detailed the Sunday exploit in a series of tweets, taking ownership of the “engineering oversight” that resulted in the attack, which centered around the platform’s xFORCE contract. POST-MORTEM To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit. Thanks to everyone technical …
Altcoin / April 5, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot
Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million. On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment. We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage. To …
Blockchain / May 1, 2022