According to a autopsy evaluation offered by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10,
5. The hacker burned a bit over 3 million in GLP, their revenue on this exploit was the stolen funds on Lodestar – minus the GLP they burned.
6. 2.8 Million of the GLP is recoverable, which is value about $2.4 million. We are going to attain out to the hacker and…
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
In an analogous occasion, CertiK stated that Lodestar Finance hackers “artificially pumped the value of an illiquid collateral asset which they then borrow in opposition to, leaving the protocol with irretrievable debt.”
“Despite a few of the losses being probably recoverable, the protocol is functionally bancrupt proper now, and customers are being urged not to repay any loans they’ve taken out.”
The assault occurred by way of a vulnerability within the PlutusDAO’s plvGLP token on Lodestar. According to its documentation, Lodestar “makes use of verified, safe Chainlink worth feeds for each asset it presents aside from plvGLP.” Instead, the trade charge of plvGLP to GLP relied on complete belongings divided by complete provide on Lodestar.
As defined by CertiK, the exploiter first funded their pockets with 1,500 Ether (ETH) on Dec. 8, who then took out eight flashloans for a complete of roughly $70 million value of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) two days later. This drove the trade charge of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was ready to borrow much more belongings from the protocol.
The borrowings rapidly consumed all liquidity on the platform, main the hacker switch the funds out of Lodestar and leaving customers with unhealthy debt. It is estimated that the exploiter made a complete of $6.9 million in income by way of the assault vector.
“While Lodestar is reaching out to the exploiter in an try to negotiate a bug bounty ex put up facto, the funds are seemingly to be principally unrecoverable. In the absence of an insurance coverage fund that may cowl the losses, customers of the platform bear the price of the exploit.”
CertiK warned that the assault “is the results of flaws within the protocol’s design relatively than a bug in its good contract code.” The blockchain safety agency additional highlighted that Lodestar launched with out an audit, and, subsequently, with out a third-party assessment of its protocol design.