Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of PlutusDAO's plvGLP token before borrowing all platform liquidity using the inflated token.
In a Twitter thread, Lodestar explained the attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company.
Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation of the plvGLP."
Following the hack, "several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP." The hacker was able to burn a little over 3 million in GLP, making profit on the "stolen funds on Lodestar - minus the GLP they burned.", noted the DeFi platform.
The attacker made around $5.8 million in profit. Lodestar states that nearly 2.8 million of the GLP (about $2.4 million) was recoverable, which should be used to repay depositors. The company is trying to negotiate a bug bounty with its exploiter:
The main vulnerability that led to the attack is inside the oracle that Lodestar implemented to discern the price of plvGLP. In an analysis, Solidity Finance audit team said the event highlighted "that utilizing oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets."
In a statement, governance aggregator PlutusDAO noted that its "products and platform functioned exactly as intended through the entire event. All funds on Plutus are completely safe. The exploit was solely a result of Lodestar’s oracle implementation." It also stated:
"We want to take responsibility for promoting an unaudited protocol. While the exploit is in no way Plutus’ fault, we recognize the fact that we were too eager to promote a protocol integrating plvGLP. With plvGLP gaining significant traction, we’ve wanted to highlight all plvGLP integrations to our community to emphasize the adoption and opportunities the integrations have presented both to individual users and protocols. For this, we apologize. We jumped the gun, and going forward we will no longer be promoting protocols that are not audited."
The Lodestar attack was similar to the Mango Markets exploit on Oct. 11, when over $100 million was stolen through an attacker manipulating price oracle data, allowing the hackers to take out under-collateralized cryptocurrency loans.