Lodestar Finance is an algorithmic borrowing and lending protocol. This protocol allows users to lend or borrow, use liquid staking and trade with leverage. Also, the protocol feature is the ability to profit from the assets of Arbitrum: MAGIC, DPX and plvGLP. It was plvGLP that became the target for the hacker.
What is plvGLP? plvGLP is a Plutus Vault GLP. Let's take it in order. Plutus – aka PlutusDAO – is a decentralized autonomous organization. GLP is a token that consists of an index of assets used for swaps and leverage trading. GLP is the GMX platform’s liquidity provider token. In turn, plvGLP is one of the price oracles of the Lodestar Finance protocol.
Let's go back to the hacker attack. As Lodestar Finance tweeted on December 11, the protocol was exploited and deposits have been drained.
Protocol was exploited and deposits have been drained. We have set all interest rates to 0 so that supply and borrow balances are not moving while we weigh recovery options. What we know right now:
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022
Also, Lodestar Finance reported what information they know about the hacker attack. The attack began with the hacker manipulating the exchange rate of the plvGLP contract. This helped provide plvGLP collateral and borrow all available liquidity. After that, the hacker cashed out everything he could, and several plvGLP holders also used the exploit.
3. They cashed out what they could but our collateralization ratio mechanism prevented them from fully cashing out the plvGLP.
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022
4. After the hack several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.
According to Lodestar Finance, the hacker was able to exploit the protocol to the amount of about $5.8 million, but Plutus later confirmed that $2.4 million is recoverable. Lodestar Finance hopes that the hacker will return the funds for a reward under the bug bounty program.
see if we can negotiate a bug bounty to recover more funds.
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022
7. If you are the hacker, we will be reaching out to you on Debank at these 3 addresses:
0xdef9c01995860ea746cbe70076988ab124517a0a
0x3da5e8a9c6eabd989f0bbe0aafc5da47784f6fa9
0x0a62f4136db3d1a98e6874fce190cae96edec818
So far, there is no complete detailed analysis of the situation, but Lodestar Finance has shared a brief summary of this attack.
We just published a summary Post-Mortem of yesterday's exploit:https://t.co/YeZMFnuZpV
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 11, 2022
Also, Lodestar Finance recently shared the news that it managed to calculate all the losses of user funds. Total losses amounted to 5,648 ETH, and approximately 2.72 million GLP was recovered.
If you were a victim of the Lodestar exploit, please make sure your address is present on this list:https://t.co/3eHOfGzdI3 pic.twitter.com/58iGYsDxQU
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 17, 2022
Lodestar Finance has become another victim of hackers. This year, hacker attacks on crypto and DeFi services have become more frequent. You can read about what else was attacked by hackers on our website under the tag #Hacks&Bugs. And we continue to observe.
