In response to a autopsy evaluation supplied by CertiK for the $5.8 million Lodestar Finance exploit on December tenth:
5. Hackers burned simply over $3 million in GLP. Their revenue from this exploit is the stolen funds on the Lodestar minus his burned GLP.
6. 2.8 million of GLP are recoverable, which is value roughly $2.4 million. Attain out to hackers…
— Lodestar Finance (,) (@LodestarFinance) December 10, 2022
In the same instance, CertiK stated that Lodestar Finance hackers “artificially pushed up the value of illiquid collateral property and borrowed them, leaving the protocol with irrecoverable debt.”
“Though a few of the losses could also be recoverable, the protocol is at the moment functionally damaged and customers are being requested to not repay loans they’ve taken.”
The assault was brought on by a vulnerability in PlutusDAO’s plvGLP token on Lodestar. In response to its documentation, Lodestar “makes use of a verified and safe Chainlink worth feed for all property it gives, besides plvGLP.” As a substitute, the plvGLP to GLP alternate charge was depending on Lodestar’s complete property divided by its complete provide.
As defined by CertiK, the exploiters first funded the pockets with 1,500 Ether (ETH) on Dec. 8, adopted by a complete of about $70 million value of USD Coin (USDC), Wrapped Ether (wETH). , and DAI (die) two days later. This resulted in an alternate charge of 1.00:1.83 from plvGLP to his GLP, permitting the abuser to borrow much more property from the protocol.
Borrowing rapidly consumed all liquidity on the platform, and hackers transferred funds out of Lodestar, leaving customers with unhealthy debt. The abusers are estimated to have made a complete of $6.9 million in revenue via assault vectors.
“Lodestar is reaching out to abusers in an try to barter a bug bounty after the actual fact, however the funds are prone to be largely unrecoverable. If there is no such thing as a insurance coverage fund to cowl the losses, customers of the platform will bear the prices.” of the exploit.”
CertiK warns that the assault “is the results of a design flaw within the protocol, not a bug within the good contract code.” The blockchain safety agency additional emphasised that Lodestar launched with out an audit. Due to this fact, there was additionally no third-party evaluate of the protocol design.
