Lodestar Finance, a Compound fork on Arbitrum, is the latest victim of the mass market manipulation that has affected both people and protocols across our industry.
On Saturday, the price oracle of plvGLP collateral was manipulated, allowing the attacker to drain their lending pools for a profit of ~$6.5M.
That’s #77 on the leaderboard for Lodestar Finance.
Among Lodestar’s collateral assets is the yield-bearing plvGLP, representing GLP locked in Plutus DAO’s vault. Using flash loans, the attacker manipulated the plvGLP price reported by Lodestar’s GLPOracle contract, allowing them to “borrow” all the funds supplied on the platform.
The Lodestar docs state that:
we are relying on Chainlink Oracles for accurate pricing (with the exception of plvGLP)
An inviting note for any would-be attackers…
Solidity Finance summarised the root cause:
The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token.
Lodestar’s preliminary post mortem gives further details of the exploit, as well as pointing out that “the oracle can’t be allowed to undergo instantaneous change within the same block.”
Certik’s report contains a full step-by-step of the attack flow.
Attacker’s address 0xc29d94386ff784006ff8461c170d1953cc9e2b5c
Example exploit tx: 0xc523c630…
The 343 ETH ($430k) necessary for the attack was bridged from Polygon three months ago. Following the exploit, the funds were swapped to ETH, bridged back to mainnet and dispersed to multiple addresses.
Manipulating the price of collateral has been a popular attack technique since the beginning of DeFi, but especially in recent times, as this incident follows the attacks on both Mango and Moola Markets, who lost $115M, and $8.4M respectively, in October.
The above examples had funds partially or fully returned, ensuring users didn’t totally lose out. Yet two days have now passed since the initial attack on Lodestar, and no mention of any planned reparations has yet been made.
Forking an existing project, even long-standing and resilient protocols, does not guarantee the same security.
But this paragraph in the Lodestar documentation suggests they may not have realised as such…
Lodestar is a Compound fork at the core, and Compound has some of the most battle-tested contracts in all of DeFi. We have added code to support a few changes we have made, namely adding Arbitrum support, DPX, MAGIC and plvGLP support, tweaking some Interest Models, and a few other small changes.
Time is the best security audit of all, but smart contract changes render even the most time-tested protocols open to new vulnerabilities.
Another market manipulated, more millions misplaced, and the market manipulators move on…
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
OG decentralised exchange KyberSwap got rekt across six chains, for a total loss of over $48M. Perhaps there’s some good news in store for KyberSwap and LPs, or is the attacker just toying with us?
It's been a rough few weeks for Justin Sun. Today, another $99M went missing as HECO Bridge and HTX (again) were hacked in short succession. His Excellency makes sure to never stay out of the spotlight for long…
Deja-vu, anyone? Market maker Kronos Research lost $26M over the weekend, leading to liquidity issues on closely-associated CEX Woo X. Where have we heard that before?