- Lodestar Finance was robbed of for approximately $6.5 million in flash loan attack
- The attacker then used bad debt to retract all accessible liquidity on Lodestar Finance, leveraging the inflated tokens as collateral.
Lodestar Finance, an Ethereum scaling-solution suite Arbitrum lending platform, was attacked and subjugated to a loss of approximately $6. 5 million.
The protocol has set all interest rates to zero in order to keep supply and borrow balances stable while evaluating recovery methods.
“Protocol was exploited and deposits were drained,” the project’s Twitter account stated on December 10 at 4:14 p.m. ET, while also declaring that it “set all interest rates to zero so that supply and borrow balances do not move while we weigh recovery options.“
The attacker was fruitful in manipulating the plvGLP token exchange rate to 1.83 GLP per plvGLP, seeking to make it 83% more lucrative than it should have been. The malicious code makes use of the inflated tokens as collateral.
The attacker profited approximately $5.8 million. According to Lodestar, nearly 2.8 million GLP (about $2.4 million) was recoverable and should be used to repay depositors. The company is attempting to work out a bug bounty with its exploiter.
The exploiter obtained eight Flashloans ($70.5 million), then placed all of the lent ETH (14,960) to GMX to begin the quintessential hacking operation. Following that, the exploiter pooled the WETH (14,960) and withdrew and deposited it to GMX, where he exchanged 14,960 WETH for 19,001,512 USDC.
The major flaw that enabled the invasion is within GLPOracle and how it undertakes its pricing. According to the Solidity Finance audit team, the incident demonstrated “that using oracles resistant to deception is an introspectively critical feature of DeFi, particularly in protocols that lend out user assets.”
Donations are not distinctive to plvGLP and can be accomplished with other standard vault contracts by depositing tokens. The Oracle design must be significantly upgraded. Accounting for donated GLP would have precluded this, but it would also have contributed to misleading pricing because rightfully donated GLP underpins plvGLP. To avoid the backdoors, the oracle must not undertake immediate transition within the same block.
PlutusDAO, a governance aggregator, stated in a proposition that Plutus’ products and platform performed flawlessly throughout the incident. Plutus funds are perfectly secure. Independent auditors investigating the event determined that the vulnerability was exclusively the outcome of Lodestar’s oracle execution.