Arbitrum-based borrowing protocol Lodestar Finance has been exploited through a flash loan on the 10th of December. According to Lodestar, a hacker artificially raised the plvGLP token on PlutusDAO and then used that token to borrow the whole network’s supply of accessible liquidity.
The crypto industry has since the year started recording huge losses resulting from exchange collapse, disappearance, hacks, and scams. These range from a few hundred thousand dollars to billions of dollars.
In a Twitter thread, Lodestar detailed the attack method. The hacker began by changing the plvGLP contract exchange rate to 1.83 GLP per plvGLP, which the firm described as “an exploit that would be unprofitable on its own.”
Lodestar Finance Lost Several Million Dollars
The hacker then pledged the plvGLP as collateral with Lodestar, borrowing the maximum amount allowed and taking a fraction of the money “until the collateralization ratio mechanism(CRM) prevented them from fully cashing out the plvGLP.
Following the hack, several plvGLP holders also seized the opportunity to cash out at the rate of 1.83 glp per plvGLP. Except for the GLP they destroyed, the hacker’s profit from this exploit was the money they took from Lodestar, less the GLP they burned. This amounts to little more than 3 million GLP.
The perpetrator made about $5.8 million. However, Lodestar said that of the GLP’s $2.5 million, around $2.8 million was recovered and should be used to compensate depositors. Additionally, the company looking to negotiate a bug bounty with the hacker:
A day after the hack, PlutusDAO, a governance aggregator released an official statement on the Lodestar Finance Exploit on medium saying that the attack was purely a result of the Lodestar’s Oracle implementation as proven by independent auditors investigating the event.
It further affirmed that Lodestar Finance has also contacted Certik, who confirmed the exploit was caused by Lodestar’s Oracle implementation.