{"id":42012,"date":"2022-12-12T16:24:14","date_gmt":"2022-12-12T20:24:14","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=42012"},"modified":"2022-12-12T16:24:17","modified_gmt":"2022-12-12T20:24:17","slug":"hackers-use-mango-markets-attackers-methods-to-exploit-lodestar","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/hackers-use-mango-markets-attackers-methods-to-exploit-lodestar\/","title":{"rendered":"Hackers use Mango Markets attacker\u2019s methods to exploit Lodestar"},"content":{"rendered":"\n
According to a post-mortem analysis provided by CertiK<\/a> of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10<\/h5>\n\n\n\n
\"Hackers
Hackers use Mango Markets attacker\u2019s methods to exploit Lodestar<\/figcaption><\/figure>\n\n\n\n

A post-mortem examination of the $5.8 million Lodestar Finance vulnerability that happened on December 10 has been released by blockchain security firm CertiK:<\/p>\n\n\n\n

\n

3. They cashed out what they could but our collateralization ratio mechanism prevented them from fully cashing out the plvGLP.

4. After the hack several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.<\/p>— Lodestar Finance \ud83c\udf1f (@LodestarFinance) December 10, 2022\r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a><\/blockquote>

In a similar instance, CertiK said that Lodestar Finance hackers \u201cartificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.\u201d<\/p>\n\n\n\n

\n

\u201cDespite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out.\u201d<\/p>\n<\/blockquote>\n\n\n\n

The PlutusDAO's plvGLP token<\/a> on Lodestar has a vulnerability that allowed the attack to take place. The lending platform “uses confirmed, secure Chainlink price feeds for every asset it sells with the exception of plvGLP,” according to its documentation. <\/p>\n\n\n\n

Instead, the ratio of total assets to total supply on Lodestar was used to determine the exchange rate of plvGLP to GLP. According to CertiK, the exploiter started their wallet on December 8 with 1,500 Ether (ETH $1,254) before taking out eight flash loans<\/use><\/svg><\/span><\/a> two days later for a total of almost $70 million in USD Coin (USDC $1.00), wrapped Ether (wETH), and Dai (DAI $1.00).<\/p>\n\n\n\n

As a result, the plvGLP\/GLP exchange rate increased to 1.00:1.83, allowing the exploiter to take out more loans from the protocol's assets. As a result of the borrowings, the platform's liquidity was quickly depleted<\/a>, forcing the hacker to move the money out of Lodestar and leaving customers with bad debt. The attack vector is thought to have brought in a total profit of $6.9 million for the exploiter.<\/p>\n\n\n\n

\n

\u201cWhile Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit.\u201d<\/p>\n<\/blockquote>\n\n\n\n

CertiK warned that the attack \u201cis the result of flaws in the protocol\u2019s design rather than a bug in its smart contract code.\u201dFurther highlighting that Lodestar debuted without an audit and, thus, without a third party reviewing its protocol architecture, the blockchain security company.<\/p>\n","protected":false},"excerpt":{"rendered":"

According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10 A post-mortem examination of the $5.8 million Lodestar Finance vulnerability that happened on December 10 has been released by blockchain security firm CertiK: In a similar instance, CertiK said that Lodestar Finance hackers \u201cartificially pumped […]<\/p>\n","protected":false},"author":43,"featured_media":42014,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11476],"tags":[197,12002,12618],"class_list":["post-42012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacks-and-scams","tag-defi","tag-hacks","tag-lodestar"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2022\/12\/jpg_20221212_205734_0000.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/42012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=42012"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/42012\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/42014"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=42012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=42012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=42012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}