Arbitrum-based lending protocol Lodestar Finance was hacked in a price manipulation attack. The hacker inflated prices of PlutusDAO’s plvGLP tokens to borrow $5.8 million worth of funds from the platform. Lodestar is currently negotiating with the hacker to safely return user assets.
Lodestar Finance, a decentralised finance (DeFi) lending platform on Ethereum-based scaling network Arbitrum, was exploited in a flash loan attack on Saturday. In a twitter thread detailing the exploit, Lodestar said the hacker first manipulated the price of plvGLP before borrowing all liquidity on the platform using the over inflated token.
The attacker first increased the exchange rate of PlutusDAO’s native token on Lodestar’s price oracle smart contract to 1.83 GLP per plvGLP – making it 83% more valuable than its original price, a process the company says would be unprofitable by itself. Then they supplied the inflated plvGLP as collateral to borrow all available liquidity on Lodestar and attempted to cash out the stolen funds by bridging them to Ethereum. However, the market maker’s collateralization ratio mechanism prevented the attacker from fully moving the tokens out of the protocol.
The hacker was able to burn a little over 3 million in GLP before the DeFi platform intervened to stop the liquidity drain. “Their profit on this exploit was the stolen funds on Lodestar – minus the GLP they burned”, stated the company in its twitter thread. Out of $5.8 million the attacker made in profit from the price manipulation attack, Lodestar states that it will be able to recover nearly 2.8 million GLP worth around $2.4 million. The recovered funds will be used to reimburse investors who were affected by the exploit. The company is trying to negotiate a deal with the attacker by offering them a bug bounty if the stolen funds are returned safely.
An audit conducted by Solidity Finance revealed the main cause of the attack was a vulnerability inside Lodestar’s oracle that determined the price of plvGLP tokens. The smart contract auditing firm warned that “utilising oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets.”
“To be extremely clear – Plutus’ products and platform functioned exactly as intended through the entire event. All funds on Plutus are completely safe. The exploit was solely a result of Lodestar’s oracle implementation, as proven by independent auditors examining the event… Before diving further, we feel it’s important to emphasise that this will not affect the future of plvGLP as a product in any way,” said PlutusDAO in a statement released on medium.
Plutus has apologised to its users for “eagerly recommending” an unaudited protocol that supported plvGLP, and has promised not to repeat the mistake in the future. The crypto project will use the surplus GLP that was issued in the exploit to reimburse Lodestar users who were affected by the attack.
The attack was similar to one suffered by Solana-based DeFi lending protocol, Mango Markets. In October, an attacker manipulated Mango’s price oracle and inflated its native MNGO token to drain the platform of all liquidity by borrowing assets against it. The attacker reportedly stole over $100 million worth of cryptocurrencies in the hack.