Lodestar Finance $6.5 Million Exploit Decrypted | BlockAudit

BlockAudit
5 min readDec 19, 2022

--

What happened to Lodestar Finance($LODE):-

Due to a flaw in the GLPOracle computation, Lodestar Finance’s protocol was attacked on December 10th, 2022, and deposits were drained. The exploiter made about $6.5 million, which was bridged to Ethereum and dispersed to 3 addresses that belonged to third parties. Although Lodestar has made attempts to negotiate with the exploiter, as of this writing, no response has been received.

Lodestar Finance: An Overview

An algorithmic loan and borrowing protocol called Lodestar Finance was first developed and introduced on the Arbitrum network. The crucial DeFi primitive of decentralised money markets is something that Lodestar wants to introduce to Arbitrum communities.

The two most powerful communities in Arbitrum, $Magic and $DPX, who do not already have access to these services, will be supported at launch by Lodestar Finance.

More information about the protocol may be found here

Vulnerability Analysis & Impact:

In order to lend the asset to the Lodestar platform in exchange for iplsGLP, the exploiter was able to control the price of Plutus Staked GLP (plsGLP). The assailant was therefore able to borrow more money than they ought to have given the actual worth of their collateral. In this instance, the attacker borrowed almost all of the Lodestar assets, leaving the protocol with a bad debt of approximately $6 million.

Details Of the Attack:

The assault in this instance may be summed up as follows:

Attacker loads Lodestar with a substantial sum of USDC . Attacker takes a plsGLP loan (longtail — high risk asset). Attacker lends and is given plsGLP.
He repeats the process.

Now the main problem is that Oracles can manipulate the plsGLP oracle pricing. The more valuable plsGLP is, the more profit may be made from it. Additionally, the bigger the redemption is feasible, the higher the plsGLP to GLP exchange rate.

The attacker then increased the price of plsGLP so that they could borrow the remaining assets:

Tenderly

The attacker then arbitraged the price difference between plsGLP and GLP to maximize their profit.

What was the problem with code??

The primary weakness is in GLPOracle itself and how it determines its pricing. The following equations define the price the oracle reflects:

  • GLPPRICE = GLPVALUE / GLPSUPPLY
  • plvGLPexchangerate = totalassets / totalsupply
  • Price of PlvGLP = plvGLPexchangerate * GLPPRICE / Constant value

The plvGLPexchangerate increases as the total assets do. The price of PlvGLP will thus rise as a result. In order to raise the price of PlvGLP by giving their sGLP, the attacker must update totalassets by invoking the donate function.

1.07 is the starting price ratio. The final price ratio is 1.82.

The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token.

Flow Of the Attack

The exploiter obtained eight flash loans totaling about $70.5 million. To begin the exploit, the exploiter deposited the whole lent amount of ETH (14,960) to GMX. Due to the pricing in how GLP was determined, the protocol was left with bad debt.
📌Exploiter took out 8 loans
🪙 17,290,000 USDC
🪙 9500 WETH
🪙 4067,721 DAI
🪙 14,435,000 USDC
🪙 5,460 WETH
🪙 7,170,000 USDC
🪙 2,200,000 USDC
🪙 10,000,000 USDC

The exploiter then deposits and withdraws the combined WETH(14,960) to GMX.

Exploiter exchanges 14,960 WETH for 19,001,512 USDC

The site subsequently receives a roughly $70 million USD deposit from the exploiter, which triggers the LodeStar bank run.

The exploiter then continuously borrows PlsGLP and loans the PlsGLP to get IplsGLP until they have control over nearly the whole supply.

After the function donate is called by the exploiter, the assets are inflated by the amount donated and completely disrupts the price of the assets in the pool allowing the protocol to be drained. This increases the supply of sGLP by almost 1.68x.

After asset prices are pushed up, the attacker then borrows the rest of the assets leaving Lodestar with bad debt.

All flashloans were then repaid back with interest before redeeming the underlying assets for 4527 ETH.

Now that the exchange rate has been manipulated the exploiter then approximately doubles their plvGLP for plsGLP (9,651,000 tokens).

  • 9,651,000 tokens are sent to the plsGLP vault
  • The tokens are then burned and the rebate is sent to the vault. (34k plsGLP)
  • 104,000 tokens are removed from the transactions for staking.
  • Remaining 9,812,000 fsGLP tokens are then sent to exploiter

In the remaining exploit transactions the exploiter then redeems the underlying asset (fsGLP) for roughly 4527 ETH (5,800,000 USD).

For further details of transaction history, reader’s can move to the below links provided👇

Transaction Hash:
0xc523c6307b025ebd9aef155ba792d1ba18d5d83f97c7a846f267d3d9a3004e8c

Address of the Attacker:
0xc29d94386ff784006ff8461c170d1953cc9e2b5c

Lodestar Finance confirms exploit:

Lodestar Finance was aware of the incident . They even tried to have a deal with the Exploiters.

Loss faced by “ $LODE ”:

The price fell after the hack, but Lodestar Finance is trying to stay in the market.

Recommended Mitigation Step:

The computation of token pricing was insecure, which allowed the Lodestar Finance hack to happen. The protocol was susceptible to attacks involving price manipulation since it permitted price updates inside a single block.

This kind of price manipulation attack is frequent, and unsafe pricing computations may be found by conducting a security audit of smart contracts prior to activation.

Hustling with web3 Security!!! Connect with us!!!

BlockAudit:- Why we??
BlockAudit has the resources and knowledge to create cybersecurity solutions that save millions of dollars.
Linkedin | Website | Twitter

--

--

BlockAudit

BlockAudit is pioneer Blockchain security company. Our mission is to secure your project from all possible security threats.