According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on December 10.
5. The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar – minus the GLP they burned.
6. 2.8 Million of the GLP is recoverable, which is worth about $2.4 million. We are going to reach out to the hacker and…
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
5. The hacker burned a little over 3 million worth of LPG, his profit on this exploit was the funds stolen at Lodestar, minus the LPG they burned.
6. 2.8 Million of LPG are recoverable, which is equivalent to about USD 2.4 million. We’ll contact the hacker and…
In a similar case, CertiK said the Lodestar Finance hackers “artificially inflated the price of an illiquid collateral asset that they then borrowed against, leaving the protocol with a bad debt.”
“Although some of the losses are potentially recoverable, the protocol is functionally insolvent at this time, and users are urged not to repay any loans they have taken out.”
The attack occurred via a vulnerability in PlutusDAO’s plvGLP token in Lodestar. According to his documentation, Lodestar “uses verified and secure Chainlink price sources for all the assets it offers, with the exception of plvGLP.” Instead, the exchange rate from plvLPG to LPG was based on total assets divided by total supply at Lodestar.
As explained by CertiK, the miner first funded his wallet with 1,500 Ether (ETH) on December 8, and then took out eight flash loans totaling approximately $70 million in USD Coin (USDC), wrapped Ether (wETH) and DAI ( DAI) two days later. This brought the plvGLP to GLP exchange rate to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.
The loans quickly consumed all of the platform’s liquidity, prompting the hacker to transfer the funds out of Lodestar, leaving users with a bad debt.. The exploiter is estimated to have earned a total of $6.9 million in profits through the attack vector.
“While Lodestar is approaching the exploiter in an attempt to negotiate an ex post facto bug bounty, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover losses, users of the platform assume the cost of the feat”.
CertiK warned that the attack “is the result of protocol design flaws rather than a bug in its smart contract code.” The blockchain security firm further highlighted that Lodestar launched without an audit, and therefore without a third-party review of its protocol design.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.