Arbitrum-based borrowing protocol Lodestar Finance has been exploited through a flash loan on the 10th of December. According to Lodestar, a hacker artificially raised the plvGLP token on PlutusDAO and then used that token to borrow the whole network’s supply of accessible liquidity.
The crypto industry has since the year started recording huge losses resulting from exchange collapse, disappearance, hacks, and scams. These range from a few hundreds of thousands of dollars to billions of dollars.
In a Twitter thread, Lodestar detailed the attack method. The hacker began by changing the plvGLP contract exchange rate to 1.83 GLP per plvGLP, which the firm described as “an exploit that would be unprofitable on its own.”
The hacker then pledged the plvGLP as collateral with Lodestar, borrowing the maximum amount allowed and taking a fraction of the money “until the collateralization ratio mechanism(CRM) prevented them from fully cashing out the plvGLP.
Following the hack, a number of plvGLP holders also seized the opportunity to cash out at the rate of 1.83 glp per plvGLP. Except for the GLP they destroyed, the hacker’s profit from this exploit was the money they took from Lodestar, less the GLP they burned. This amounts to little more than 3 million GLP.
The perpetrator made about $5.8 million. However, Lodestar said that of the GLP’s $2.5 million, around $2.8 million was recovered and should be used to compensate depositors. Additionally, the company looking to negotiate a bug bounty with the hacker:
A day after the hack, PlutusDAO, a governance aggregator released an official statement on the Lodestar Finance Exploit on medium saying that the attack was purely as a result of the Lodestar’s Oracle implementation as proven by independent auditors investigating the event.
It further affirmed that Lodestar has also contacted Certik, who confirmed the exploit was caused by Lodestar’s Oracle implementation.
“We want to take responsibility for promoting an unaudited protocol. While the exploit is in no way Plutus’ fault, we recognize the fact that we were too eager to promote a protocol integrating plvGLP.”
“With plvGLP gaining significant traction, we’ve wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities the integrations have presented both to individual users and protocols. For this, we apologize. We jumped the gun, and going forward we will no longer be promoting protocols that are not audited,” PlutusDAO said.
The aggregator promises to do everything possible to assist the Lodestar Finance team and, in particular, affected users in their recovery. Despite many death threats, the team feels that the excess GLP created by yesterday’s vulnerability should and will be utilized to compensate affected Lodestar users.