CertiK, a Blockchain security company, shared a postmortem analysis of the $5.8M Lodestar Finance exploit on Dec. 10, 2018.
5. The hacker lost a little more than 3 million GLP. Their profit was Lodestar’s stolen funds minus the GLP that they burned.
6. 2.28 Million GLP can be recovered, which is approximately $2.4million. We will reach out to the hacker…
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
In a similar instance, CertiK said that Lodestar Finance hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”
“Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out.”
The attack occurred through a vulnerability in the PlutusDAO’s plvGLP token on Lodestar. According to its documentation, Lodestar “uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP.” Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.
CertiK explains that the exploiter funded their wallet first with 1,500 Ether(ETH) Dec. 8. Then, he took out eight flash loans totaling approximately $70 million in USD Coin (USDC), wrapped Ether and Dai (DAI), two days later. The plvGLP/GLP exchange rates increased to 1..00:1.83, allowing the exploiter to borrow more assets from the protocol.
The platform’s liquidity was quickly depleted by the borrowings, which led the hacker to transfer funds from Lodestar and leave users with bad credit. The exploiter earned $6.9 million through this attack vector.
“While Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit.”
CertiK warned that the attack “is the result of flaws in the protocol’s design rather than a bug in its smart contract code.” The blockchain security firm further highlighted that Lodestar launched without an audit, and, therefore, without a third-party review of its protocol design.