Lodestar Finance, Live Flash Loan Attacks, PlvGLP Token Price Manipulation Strikes

Lodestar Finance, hit by a flash loan attack. (photo: twitter @LodestarFinance)

JAKARTA - The arbitration-based lending protocol, Lodestar Finance, was exploited in a flash loan attack on December 10. According to Lodestar, the attacker manipulated PlutusDAO's plvGLP token price before borrowing all platform liquidity using inflated tokens.

In a Twitter thread, Lodestar describes the flow of attacks. The attackers first manipulated the plvGLP contract exchange rate to 1.83 GLP per plvGLP. "THIS exploitation is not profitable", the company said, as quoted by Cointelegraph.

Then, the attacker supplies PlvGLP collateral to Lodestar and borrows all available liquidity, disbursing some of the funds "until the collateral ratio mechanism prevents full liquidation of PlvGLP."

If you are the hacker, reach out to us so we can find a white-hat agreement and move on. Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib

— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022

After the hack, "several plvGLP holders also took advantage of this opportunity and also cashed out 1.83 glps per plvGLP." Hackers were able to burn more than 3 million GLPs, which resulted in the "stolen funds in Lodestar - minus the GLPs they burned.", wrote the DeFi platform.

The striker made a profit of around USD 5.8 million (IDR 90.5 billion). Lodestar stated that nearly 2.8 million GLP (about USD 2.4 million) could be re-acquired, which should be used to pay the depositors. The company is trying to negotiate a bug reward with its exporters.

The main vulnerability causing the attack was in an oracle implemented by Lodestar to find out the price of plvGLP. In an analysis, the audit team Solidity Finance said the event highlighted "that taking advantage of an oracle that is resistant to manipulation is a very important part of DeFi, especially in protocols that lend user assets."

In a statement, governance aggregator PlutusDAO noted that "its products and platforms work exactly as intended across events. All funds in Plutus are completely safe. Such exploitation is solely the result of the implementation of oracle Lodestar."

"We want to take responsibility for promoting unudited protocols. Although exploit is not at all Plutus' fault, we recognize the fact that we are too excited to promote protocols that integrate PlvGLP. With the plvGLP gaining significant traction, we would like to highlight all plvGLP integrations into our community to emphasize the adoption and opportunities that have been presented by integration both for individual users and protocols. For this, we apologize. We act immediately, and in the future, we will no longer promote unudited protocols, "said spokesman PlutusDAO, quoted Cointelegraph

Lodestar attacks are similar to Mango Markets exploits on October 11, when more than $100 million was stolen through attackers who manipulated oracle price data, allowing hackers to take cryptocurrency loans without collateral.