On Dec. 10, an attack on Lodestar Finance’s arbitrum-based lending protocol Lodestar Finance resulted in a flash lender. Lodestar says that the attacker pretended to manipulate the price for the plvGLP token, before borrowing all of the platform liquidity with the inflated token.
Lodestar is a Twitter thread. explained The attack flow. The attacker first altered the exchange rate for the plvGLP contract, to 1.83 GLP/plvGLP. This was “an exploit that would be unprofitable by itself”, stated the company.
The attacker then provided plvGLP collateral for Lodestar, and borrowed all liquidity. He cashed out part of the funds, “until” the collateralization ratio mechanism prevented a complete liquidation of plvGLP.
“Several plvGLP holders” took advantage of this hack and cashed out at 1.83glp per PlvGLP. The hacker was able burn just under 3 million GLP and made a profit on the Lodestar stolen funds – less the GLP they burned.DeFi noted this.
The attacker earned around $5.8million in profit. Lodestar claims that almost 2.8 million GLP (or $2.4 million) could be recovered, and should be used to reimburse depositors. The company is trying negotiate a bug bounty to its exploiter.
We can help you find a white-hat arrangement and get you moving if hacker.
We are committed to recouping funds for our users and will reward you generously for your cooperation.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
The vulnerability at the heart of the attack was inside GLPOracle, and how it conducts its prices. Solidity Finance audit team stated that the attack highlighted “the importance of using oracles that are resistant to manipulation in DeFi protocols which lend out user resources.”
PlutusDAO is the governance aggregator. noted Its “products, and platform” functioned perfectly throughout the event. Plutus funds are 100% safe. The exploit was solely a result of Lodestar’s oracle implementation.” It also said:
“We are willing to accept responsibility for the promotion of an unaudited protocol. While the exploit is in no way Plutus’ fault, we recognize the fact that we were too eager to promote a protocol integrating plvGLP. With plvGLP gaining significant traction, we’ve wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities the integrations have presented both to individual users and protocols. We are sorry for this. We regret that we jumped the gun. Going forward, we won’t be encouraging protocols that have not been audited.”
Lodestar’s attack was very similar to that of Mango Markets on Oct. 11th, when more than $100 million was taken by an attacker manipulating data price oracle data. This enabled the hackers take out uncollateralized cryptocurrency loans.