According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10, 

In a similar instance, CertiK said that Lodestar Finance hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”

“Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out.”

The attack occurred through a vulnerability in the PlutusDAO’s plvGLP token on Lodestar. According to its documentation, Lodestar “uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP.” Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.

As explained by CertiK, the exploiter first funded their wallet with 1,500 Ether (ETH) on Dec. 8, who then took out eight flashloans for a total of approximately $70 million worth of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) two days later. This drove the exchange rate of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.

The borrowings quickly…

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed