Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of the plvGLP token before borrowing all platform liquidity using the inflated token.
In a Twitter thread, Lodestar explained the attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company.
Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation of the plvGLP."
Following the hack, "several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP." The hacker was able to burn a little over 3 million in GLP, making profit on the "stolen funds on Lodestar - minus the GLP they burned.", noted the DeFi platform.
The attacker made around $5.8 million in profit. Lodestar states that nearly 2.8 million of the GLP (about $2.4 million) was recoverable, which should be used to repay depositors. The company is trying to negotiate a bug bounty with its exploiter:
If you are the hacker, reach out to us so we can find a white-hat agreement and move on. Recovering the funds of our users is the main priority and we will generously reward your collaboration.#Hack #whitehat #Arbitrum $LODE #Exploit #DEFI https://t.co/SWlCr3KMib
The main vulnerability that led to the attack is inside GLPOracle and how it conducts its price. In an analysis, Solidity Finance audit team said the event highlighted "that utilizing oracles resistant to manipulation is a critically important piece of DeFi, especially
Read more on cointelegraph.com