According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10
A post-mortem examination of the $5.8 million Lodestar Finance vulnerability that happened on December 10 has been released by blockchain security firm CertiK:
In a similar instance, CertiK said that Lodestar Finance hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”
“Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out.”
The PlutusDAO’s plvGLP token on Lodestar has a vulnerability that allowed the attack to take place. The lending platform “uses confirmed, secure Chainlink price feeds for every asset it sells with the exception of plvGLP,” according to its documentation.
Instead, the ratio of total assets to total supply on Lodestar was used to determine the exchange rate of plvGLP to GLP. According to CertiK, the exploiter started their wallet on December 8 with 1,500 Ether (ETH $1,254) before taking out eight flash loans two days later for a total of almost $70 million in USD Coin (USDC $1.00), wrapped Ether (wETH), and Dai (DAI $1.00).
As a result, the plvGLP/GLP exchange rate increased to 1.00:1.83, allowing the exploiter to take out more loans from the protocol’s assets. As a result of the borrowings, the platform’s liquidity was quickly depleted, forcing the hacker to move the money out of Lodestar and leaving customers with bad debt. The attack vector is thought to have brought in a total profit of $6.9 million for the exploiter.
“While Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit.”
CertiK warned that the attack “is the result of flaws in the protocol’s design rather than a bug in its smart contract code.”Further highlighting that Lodestar debuted without an audit and, thus, without a third party reviewing its protocol architecture, the blockchain security company.
