Blockchain security company CertiK has shared a post-mortem analysis of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10:
5. The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar - minus the GLP they burned.— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
6. 2.8 Million of the GLP is recoverable, which is worth about $2.4 million. We are going to reach out to the hacker and...
In a similar instance, CertiK said that Lodestar Finance hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”
“Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out.”
The attack occurred through a vulnerability in the PlutusDAO’s plvGLP token on Lodestar. According to its documentation, Lodestar “uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP.” Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.
As explained by CertiK, the exploiter first funded their wallet with 1,500 Ether (ETH) on Dec. 8 and then took out eight flash loans for a total of approximately $70 million worth of USD Coin (USDC), wrapped Ether (wETH), and Dai (DAI) two days later. This drove the plvGLP/GLP exchange rate to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.
The borrowings quickly consumed all the liquidity on the platform, leading the hacker to transfer the funds out of Lodestar and leaving users with bad debt. It is estimated that the exploiter made a total of $6.9 million in profits through the attack vector.
“While Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit.”
CertiK warned that the attack “is the result of flaws in the protocol’s design rather than a bug in its smart contract code.” The blockchain security firm further highlighted that Lodestar launched without an audit, and, therefore, without a third-party review of its protocol design.