Hackers copied Mango Markets attacker's methods to exploit Lodestar: CertiK

Published at: Dec. 12, 2022

According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10, 

5. The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar - minus the GLP they burned.6. 2.8 Million of the GLP is recoverable, which is worth about $2.4 million. We are going to reach out to the hacker and...

— Lodestar Finance (,) (@LodestarFinance) December 10, 2022

In a similar instance, CertiK said that Lodestar Finance hackers "artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt."

"Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out."

The attack occurred through a vulnerability in the PlutusDAO's plvGLP token on Lodestar. According to its documentation, Lodestar "uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP." Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.

As explained by CertiK, the exploiter first funded their wallet with 1,500 Ether (ETH) on Dec. 8, who then took out eight flashloans for a total of approximately $70 million worth of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) two days later. This drove the exchange rate of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.

The borrowings quickly consumed all liquidity on the platform, leading the hacker transfer the funds out of Lodestar and leaving users with bad debt. It is estimated that the exploiter made a total of $6.9 million in profits through the attack vector.

"While Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit."

CertiK warned that the attack "is the result of flaws in the protocol's design rather than a bug in its smart contract code." The blockchain security firm further highlighted that Lodestar launched without an audit, and, therefore, without a third-party review of its protocol design.

Tags
Related Posts
Needed: A massive education project to fight hacks and scams
The common narrative around the prevailing threats to mainstream adoption of cryptocurrencies is that regulators will put the kibosh on their legality, it has to get much easier for “ordinary” people to use, and the magnitude of its volatility has to be tempered. All of these are true. But there’s something perhaps just as consequential: scams, hacks, fraudulent exchanges, dumps and the like. Why? Every attack leaves a scar. And the scars are mounting fast. According to a study by Chainalysis, scammers got away with $14 billion worth of crypto in 2021, which represents hundreds of thousands — maybe millions …
Technology / May 21, 2022
The remaining steps to mainstream institutional investment
It has been said that you only get one chance to make a first impression. Perhaps the best example of this old adage is the cryptocurrency space. From exit scams and money laundering, to unaudited code and high carbon footprints, the crypto landscape has spent the better part of the past decade scrubbing itself of its infamous past. For many, the sanitizing of the decentralized ecosystem was inevitable — simply a matter of when, not if. This mindset hindered the sense of urgency that should have been on display and may have ultimately contributed to the skepticism exhibited by mainstream …
Adoption / May 29, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
3 things the crypto sector must offer to truly mainstream with TradFi
In the past year, we’ve seen the crypto economy undergo exponential expansion as heaps of money poured into various cryptocurrencies, decentralized finance (DeFi), nonfungible tokens (NFT), crypto indices, insurance products and decentralized options markets. The total value locked (TVL) in the DeFi sector across all chains has grown from $18 billion at the beginning of 2021 to $240 billion in January 2022. With so much liquidity in the ecosystem, the crypto lending space has also grown a significant amount, from $60 million at the beginning of 2021 to over $400 million by January 2022. Despite the exponential growth and the …
Technology / Feb. 5, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022