DeFi protocol, Lodestar Finance, hacked in flash loan attack
On December 10, a flash loan attack was launched against the Arbitrum-based borrowing protocol Lodestar Finance. Lodestar claims that an attacker inflated the value of the plvGLP token on PlutusDAO and then used that token to borrow the whole available supply of liquidity on the network.
Lodestar explains
Lodestar laid out the attack process in a series of tweets. The attacker started by setting the plvGLP contract exchange rate to 1.83 GLP per plvGLP, “an attack that alone would be unprofitable,” as the firm put it. Then, the attacker pledged the plvGLP as collateral with Lodestar, borrowing the maximum amount possible and withdrawing a portion of the money “until the CRM precluded a total liquidation of the plvGLP.”
After the hack, there were “many plvGLP holders” who “also got 1.83 glp per plvGLP”. According to the DeFi platform, the hacker earned money on the “funds stolen on Lodestar – less the GLP they destroyed.” This amounts to little more than 3 million GLP.
The perpetrator netted almost $5.8 million. However, according to Lodestar, about $2.8 million of the GLP (around $2.5 million) was recoverable and should be utilized to repay depositors. In addition, the business is in talks with the hacker to offer a bug bounty:
The primary flaw that allowed the attack is present in the oracle that Lodestar built to determine the value of plvGLP. The occurrence demonstrated “that deploying oracles immune to exploitation is a critically essential part of DeFi, particularly in protocols that lend out user assets,” as stated by the Solidity Finance audit team.
PlutusDAO releases statement
PlutusDAO, a governance aggregator, has released a statement stating, “Everything went off without a hitch, and the products and platform did what they were supposed to do. Plutus guarantees the security of all user monies at all times. Only Lodestar’s oracle implementation was responsible for the vulnerability.” The document also included the following:
“We’d like to own up to the fact that we’re advocating for a non-verified procedure. Even though this exploit is not Plutus’ fault, we now realize that we were far too quick to advocate for a protocol that included plvGLP.”
With plvGLP’s growing popularity, it was important to ensure our community knew about every plvGLP integration to underline the integrations’ widespread use and the benefits they’ve brought to protocol development and individual users. We sincerely regret this. We jumped to conclusions. Therefore from now on, we won’t be advocating for protocols that an independent auditor hasn’t reviewed.”
Akin to the Mango Marketplace exploit on October 11, where over $100 million was taken by altering price oracle data. Additionally, the Lodestar assault allowed the perpetrators to carry out under-collateralized bitcoin loans.