JAKARTA - The arbitration-based lending protocol, Lodestar Finance, was exploited in a flash loan attack on December 10. According to Lodestar, the attacker manipulated PlutusDAO's plvGLP token price before borrowing all platform liquidity using inflated tokens.
In a Twitter thread, Lodestar describes the flow of attacks. The attackers first manipulated the plvGLP contract exchange rate to 1.83 GLP per plvGLP. "THIS exploitation is not profitable", the company said, as quoted by Cointelegraph.
Then, the attacker supplies PlvGLP collateral to Lodestar and borrows all available liquidity, disbursing some of the funds "until the collateral ratio mechanism prevents full liquidation of PlvGLP."
If you are the hacker, reach out to us so we can find a white-hat agreement and move on. Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib
โ Lodestar Finance (๐,๐งก) (@LodestarFinance) December 10, 2022
After the hack, "several plvGLP holders also took advantage of this opportunity and also cashed out 1.83 glps per plvGLP." Hackers were able to burn more than 3 million GLPs, which resulted in the "stolen funds in Lodestar - minus the GLPs they burned.", wrote the DeFi platform.
The striker made a profit of around USD 5.8 million (IDR 90.5 billion). Lodestar stated that nearly 2.8 million GLP (about USD 2.4 million) could be re-acquired, which should be used to pay the depositors. The company is trying to negotiate a bug reward with its exporters.
The main vulnerability causing the attack was in an oracle implemented by Lodestar to find out the price of plvGLP. In an analysis, the audit team Solidity Finance said the event highlighted "that taking advantage of an oracle that is resistant to manipulation is a very important part of DeFi, especially in protocols that lend user assets."
In a statement, governance aggregator PlutusDAO noted that "its products and platforms work exactly as intended across events. All funds in Plutus are completely safe. Such exploitation is solely the result of the implementation of oracle Lodestar."
"We want to take responsibility for promoting unudited protocols. Although exploit is not at all Plutus' fault, we recognize the fact that we are too excited to promote protocols that integrate PlvGLP. With the plvGLP gaining significant traction, we would like to highlight all plvGLP integrations into our community to emphasize the adoption and opportunities that have been presented by integration both for individual users and protocols. For this, we apologize. We act immediately, and in the future, we will no longer promote unudited protocols, "said spokesman PlutusDAO, quoted Cointelegraph
Lodestar attacks are similar to Mango Markets exploits on October 11, when more than $100 million was stolen through attackers who manipulated oracle price data, allowing hackers to take cryptocurrency loans without collateral.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)