Arbitrum-Based DeFi protocol Lodestar Finance was exploited in yet another flash loan attack on Dec. 10. According to reports, the company lost roughly $6.9 million due to the attack.
#CertiKSkynetAlert 🚨 @LodestarFinance announced on their discord channel that they have paused borrowing and liquidation activity.
— CertiK Alert (@CertiKAlert) December 10, 2022
Their team is currently investigating a potential exploit. Community reports indicate possible losses of ~$6.9 Million.
See announcement 👇 pic.twitter.com/ijma3tvk0P
Lodestar explained over a Twitter thread that the attacker “manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, an exploit that by itself would be unprofitable.”
Then, they supplied plvGLP collateral to the smart contract and borrowed all the available liquidity. However, the collateralization ratio on the platform prevented the attackers from completely cashing out the plvGLP.
Making matters worse, several plvGLP holders took advantage of the situation and cashed out at 1.83 GLP per plvGLP.
“The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar – minus the GLP they burned,” wrote Lodestar. “2.8 Million of the GLP is recoverable, which is worth about $2.4 million.”
The protocol has now set interest rates to zero, preventing any flow of demand and supply balances. It’s also working on recovery options by possibly reaching out to the attacker and offering them a bounty.
If you are the hacker, reach out to us so we can find a white-hat agreement and move on.
— Lodestar Finance (đź’™,🧡) (@LodestarFinance) December 10, 2022
Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib
According to PlutusDAO, the Lodestar exploit was solely a result of faulty Oracle implementation through which it obtained the price of plvGLP.
“The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token,” said the audit team of Solidity Finance.
Some observers believe there’s no value left in Lodestar and nothing is recoverable even if the debt position is liquidated. It’s all bad debt now.Â