According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on December 10,
5. The hacker burned a little over 3 million worth of LPG, their profit on this exploit was the funds stolen at Lodestar, minus the LPG they burned.
6. 2.8 Million of LPG are recoverable, which is equivalent to about $2.4 million. We’ll contact the hacker and…
– Lodestar Finance (,) (@LodestarFinance) December 10, 2022
In a similar case, CertiK said the Lodestar Finance hackers “artificially inflated the price of an illiquid collateral asset that they then borrowed against, leaving the protocol with a bad debt.”
“Although some of the losses are potentially recoverable, the protocol is functionally insolvent at this time, and users are urged not to repay any loans they have taken out.”
The attack occurred via a vulnerability in PlutusDAO’s plvGLP token in Lodestar. According to its documentation, Lodestar “uses verified and secure Chainlink price sources for every asset it offers, with the exception of plvGLP.” Instead, the exchange rate from plvLPG to LPG was based on total assets divided by total supply at Lodestar.
As CertiK explained, the exploiter first funded his wallet with 1,500 Ether (ETH) on Dec. 8, and then took out eight flashloans totaling about $70 million worth of USD Coin (USDC), wrapped Ether (wETH) and DAI (DAI). ) two days later. This brought the plvGLP to GLP exchange rate to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.
The loans quickly consumed all the liquidity on the platform, causing the hacker to transfer the funds out of Lodestar, leaving users with bad debts. The exploiter is estimated to have made a total of $6.9 million in profit through the attack vector.
“While Lodestar is approaching the exploiter in an attempt to negotiate an ex post facto bug bounty, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover losses, users of the platform assume the cost of the feat”.
CertiK warned that the attack “is the result of protocol design flaws rather than a bug in its smart contract code.” The blockchain security firm further highlighted that Lodestar launched without an audit, and therefore without a third-party review of its protocol design.
This post Hackers copied Mango Markets attacker’s methods to exploit Lodestar: CertiK
was published first on https://cointelegraph.com/news/hackers-copied-mango-markets-attacker-s-methods-to-exploit-lodestar-certik