A flash loan attack exploited the Arbitrum-based lending protocol Lodestar Finance on December 10th. The attacker had borrowed all of the platforms’ liquidity while manipulating the price of the plvGLP token beforehand.
Lodestar Finance described the attack flow in a discussion on Twitter. First, the attacker modifies the plvGLP contract’s exchange rate to 1.83 GLP for each plvGLP, which the company described as “an exploit that by itself would be unprofitable.”
Then, the attacker-supplied plvGLP collateral to Lodestar Finance and used up all available liquidity to further the attack.
The DeFi platform reported that
several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.” The hacker was able to burn a little over 3 million in GLP, making profit on the “stolen funds on Lodestar – minus the GLP they burned.
The attacker made around $5.8 million in profit. Lodestar Finance stated that nearly $2.8 million of the GLP was recoverable and should to repay depositors. The company is trying to negotiate a bug bounty with its exploiter.
Though GLPOracle has strong security, it is still vulnerable to manipulation. The recent event highlights that using oracles is resistant to manipulation. Like the ones found in Solidity Finance is critical when building decentralized finance (DeFi) applications, especially when they lend out user-owned assets.
Related Reading | The Bank Of England Opens Offers For The CBDC Prototype Wallet
PlutusDAO reported in a statement,
products and platform functioned exactly as intended through the entire event. All funds on Plutus are completely safe. The exploit was solely a result of Lodestar’s oracle implementation.
The Lodestar Finance attack is comparable to the Mango Market exploit on October 11th, when hackers manipulated price oracle data, allowing them to take out loans against crypto-currencies with too little collateral.