The key flaw in the assault was a plvGLP oracle, which the attacker was able to exploit.
On December 10, the arbitrum-based lending protocol Lodestar Finance was used in a flash loan assault. The attacker, according to Lodestar, altered the price of PlutusDAO’s plvGLP token before borrowing all platform liquidity with the inflated token.
Lodestar outlined the attack flow in a Twitter conversation. The attacker initially changed the plvGLP contract exchange rate to 1.83 GLP per plvGLP, “an exploit that would be unprofitable on its own,” according to the business.
The attacker then provided Lodestar with plvGLP collateral and borrowed all available liquidity, cashing out a portion of the money “until the collateralization ratio mechanism prohibited the plvGLP from being fully liquidated
Following the hack, “many plvGLP holders seized the chance and cashed out for 1.83 glp per plvGLP.”
“The hacker was able to burn somewhat more than 3 million GLP, profiting from the “stolen cash on Lodestar – minus the GLP they burnt.” “, according to the DeFi platform.
The attacker profited around $5.8 million. According to Lodestar, almost 2.8 million GLP (about $2.4 million) was recovered and should be utilized to refund depositors. The firm is attempting to work out a bug reward with the exploiter:
The major weakness that led to the attack is located inside the oracle that Lodestar used to determine the price of plvGLP. According to the Solidity Finance audit team, the occurrence demonstrated “that using oracles immune to manipulation is a very essential aspect of DeFi, particularly in protocols that lend out user assets.”
PlutusDAO, a governance aggregator, said in a statement that its “Throughout the event, the products and platform performed precisely as expected. Plutus money are 100% secure. The vulnerability was caused purely by Lodestar’s Oracle implementation.” It further said, ” “We want to take the lead in establishing an unaudited procedure. While the vulnerability was not Plutus’ fault, we acknowledge that we were too eager to promote a protocol that included plvGLP. With plvGLP gaining pace, we wanted to showcase all plvGLP integrations in our community to highlight the acceptance and potential the integrations have provided for both individual users and protocols. We sincerely sorry. We acted too quickly, and we will never longer promote unaudited practices in the future.”
The Lodestar assault was comparable to the Oct. 11 Mango Markets vulnerability, in which over $100 million was taken by an attacker altering pricing oracle data, enabling the hackers to take out uncollateralized bitcoin loans.