Arbitrum-Based DeFi protocol Lodestar Finance was exploited in yet another flash loan attack on Dec. 10. According to reports, the company lost roughly $6.9 million due to the attack.
Lodestar explained over a Twitter thread that the attacker “manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, an exploit that by itself would be unprofitable.”
Then, they supplied plvGLP collateral to the smart contract and borrowed all the available liquidity. However, the collateralization ratio on the platform prevented the attackers from completely cashing out the plvGLP.
Making matters worse, several plvGLP holders took advantage of the situation and cashed out at 1.83 GLP per plvGLP.
“The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar – minus the GLP they burned,” wrote Lodestar. “2.8 Million of the GLP is recoverable, which is worth about $2.4 million.”
The protocol has now set interest rates to zero, preventing any flow of demand and supply balances. It’s also working on recovery options by possibly reaching out to the attacker and offering them a bounty.
According to PlutusDAO, the Lodestar exploit was solely a result of faulty Oracle implementation through which it obtained the price of plvGLP.
“The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token,” said the audit team of Solidity Finance.
Some observers believe there’s no value left in Lodestar and nothing is recoverable even if the debt position is liquidated. It’s all bad debt now.