Arslan Butt
Lodestar Finance, a lending platform built on layer-2 Arbitrum technology, experienced a security breach that resulted in a $6.9 million loss. On December 10, Lodestar Finance was the target of a flash loan attack. According to Lodestar, the attacker inflated the value of PlutusDAO’s plvGLP token before using it to borrow the entire available platform liquidity.
When the collateralization ratio mechanism prevented the plvGLP from being completely liquidated, the attacker provided Lodestar with plvGLP collateral and borrowed all of the remaining liquidity. On December 10, the team reported that a “collateralization ratio mechanism prevented them from fully cashing out the plvGLP.”
If you are the hacker, reach out to us so we can find a white-hat agreement and move on.
Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
How Did the Hack Happen?
On December 11, Lodestar discussed the attack flow on Twitter. According to the company, the attacker initially manipulated the plvGLP contract’s exchange rate to 1.83 GLP for each plvGLP, “an exploit that would be unprofitable on its own.” The attacker may have made his first $5.8 million.
The attacker made close to $6.9 million in profits and left users with a pile of bad debt.
According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10.#hacker #mangomarket #crypto #profit #finance pic.twitter.com/wR6qU4rloX— Cryptonairz (@cryptonairz) December 12, 2022
Lodestar later stated that approximately 2.8 million GLP (worth $2.4 million at the time) had been recovered and would be returned to affected customers. Using DeBank, the team is attempting to negotiate a bug bounty with the hacker. The network is attempting to negotiate with the hackers, stating that they will be rewarded if they refund them, and has provided the hackers with a contact address.
This security breach is similar to what occurred at Mango Markets in October, when fraudsters gained access to the project in order to extract money by manipulating the market, causing up to 114 million USD in damages.
Flash Loan Attacks
The attack involved the abuse of short-term loans. A flash loan is a method of borrowing digital assets and repaying them quickly (with the same signature). Smart contracts were used by attackers to construct transactions that achieve quick arbitrage. Attackers obtained large amounts of plvGLP collateral through flash loans and quickly changed the price by pumping GLP into plvGLP contracts.
3. They cashed out what they could but our collateralization ratio mechanism prevented them from fully cashing out the plvGLP.
4. After the hack several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
They carry on with the procedure, borrowing more money than they should be able to influence the pricing of the plvGLP oracle. An Oracle vulnerability, according to the Lodestar team, necessitated a redesign of Oracle’s design. To avoid future misuse, the price oracle should not change immediately within the same block.
LOGE is Dopping
Members of the Lodestar team announced their intention to halt borrowing and liquidation operations on the team’s Discord channel. According to defillama.com data, the total value locked (TVL) in Lodestar has dropped from around $7 million to just $11.06.
The project’s native cryptocurrency, Lodestar (LODE), has lost 12.0% of its value against the dollar in the last 24 hours. The current value of a LODE coin is $0.153906. LODE hit an all-time high of $0.718 per unit on November 23. On December 11, Lodestar hit an all-time low of $0.130323.
Related
Dash 2 Trade - New Gate.io Listing
- Also Listed on Bitmart, Changelly, LBank, Uniswap
- Collaborative Trading Platform Token
- Featured in Bitcoinist, Cointelegraph
- Solid Proof Audited, CoinSniper KYC Verified
- Trading Community of 70,000+ Members
This article was written for Business 2 Community by Arslan Butt.
Learn how to publish your content on B2C
Join our Telegram channel to stay up to date on breaking news coverage
Add B2C to your Google News Feed
Discuss This Article
Add a New Comment /Reply
Thanks for adding to the conversation!
Our comments are moderated. Your comment may not appear immediately.