Lending Protocol Lodestar Finance Exploited in a Flash Loan Attack
On December 10, a flash loan attack was conducted, which exploited the Arbitrum-based lending protocol known as Lodestar Finance. According to Lodestar, the attacker inflated the value of the plvGLP token by manipulating its pricing before utilizing the inflated token to borrow the entirety of the platform’s liquidity.
The attack flow was outlined by Lodestar in a thread that was posted on Twitter. According to the firm, the attacker began by bringing the exchange rate of the plvGLP contract down to 1.83 GLP per plvGLP, which is an exploit that, on its own, would not have been profitable.
After that, the attacker provided Lodestar with plvGLP collateral and borrowed all of the available liquidity, cashing out a portion of the money until a full liquidation of the plvGLP was stopped by a mechanism involving the collateralization ratio.
After the hack, a number of plvGLP holders decided to capitalize on the chance and cash out their tokens at a rate of 1.83 glp for each plvGLP. According to the DeFi platform, the hacker was successful in burning a little more than 3 million in GLP and made a profit on the stolen funds from Lodestar, after deducting the amount of GLP that they burned.
The Main Vulnerability Of The Platform
The perpetrator of the attack made a profit of approximately $5.8 million. According to Lodestar, about 2.8 million of the GLP was recoverable, which is equivalent to around $2.4 million, and this money should be utilized to reimburse depositors. The corporation is attempting to negotiate a bug bounty with the person who discovered the vulnerability.
The primary weakness that allowed for the attack to succeed was inside GLPOracle itself and the manner in which it manages its price. According to the findings of an investigation conducted by the audit team of Solidity Finance, the occurrence brought to light the fact that the utilization of immutable oracles is a crucially important component of DeFi, particularly in protocols that lend out user assets.
The governance aggregator PlutusDAO mentioned in a statement that all of its products and platform performed precisely as designed throughout the entirety of the event. The vulnerability that was exploited was caused entirely by Lodestar’s implementation of the oracle, thus user funds on Plutus are perfectly safe.
In addition to this, it was mentioned that the platform is willing to accept responsibility for pushing an unaudited protocol. Despite the fact that Plutus was in no way responsible for the exploit, the team acknowledges that it was overly eager to promote a protocol that integrated plvGLP.
PlutusDAO also noted that with plvGLP gaining substantial traction, it wants to promote all plvGLP integrations to the community to underline the adoption and opportunity the integrations have provided both to individual users and protocols. In light of this, the team acknowledges its error and extends its apologies; moving ahead, it will no longer promote protocols that have not been subjected to auditing.
A Series Of Similar Attacks On Multiple Platforms
The attack on Lodestar was quite similar to the exploit that took place on October 11 on Mango Markets. On that day, almost $100 million was lost when an attacker manipulated the price oracle data. This gave the hackers the ability to take out under-collateralized cryptocurrency loans.
The blockchain security firm OtterSec was the first to discover the issue. It tweeted that the exchange had lost more than $100 million because an attacker had manipulated the value of the MNGO native token collateral and then taken out large loans from the exchange’s treasury.
Soon after, the team behind Mango Markets sent out a tweet in which they asked the hacker to get in touch with them to negotiate a potential bug reward and warned users not to deposit funds until the issue became clearer. After further inquiry, the team announced that it had blocked deposits while it proceeded to investigate the incident.
It later confirmed that a price oracle had been manipulated. A price oracle is a data feed that displays the current value of the MNGO token. The exploiter’s account on the platform reveals that the three largest withdrawals were for a total of nearly $24 million worth of Solana’s SOL, over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and $50 million worth of USD Coin.
The exploiter is believed to be a scam artist. MNGO worth more than $14.7 million was taken out of circulation, and Mango stated that it is taking steps to have third parties freeze funds in flight. Similarly, according to blockchain security company Beosin, the QANplatform blockchain also had an exploit of its own on October 11.
This exploit resulted in about $1.89 million worth of the QANX token, which is the platform’s native cryptocurrency, being drained from its Ethereum bridge. QANplatform has stated that it is conducting an investigation into the occurrence.