Lodestar Finance, a lending protocol on Arbitrum, got exploited for $6.5m on 10 December. At the center of the attack was a vulnerability of the GLPOracle which enabled the exploiter to inflate the value of plvGLP and drain the lending market’s available liquidity.
The attack was highly complex and involved a number of transactions, including 8 flashloans worth c. $70.5m. The attacker deposited USDC as collateral on Lodestar, loop-borrowed plutus staked GLP (plsGLP) and then lent it for iplsGLP. In the process, the attacker managed to grow the difference between plsGLP and GLP which was arbitraged for profit.
According to Certik, the Oracle vulnerability is as follows:
By manipulating the exchange ratio, the attack was able to push up the price by 1.7x. Certik’s detailed analysis can be found here. Lodestar also published a short summary on the events and expects to recover $2.4m in lost funds.
The exploit focused on the exchange ratio of Plutus staked GLP, a wrapped version of GLP, but not on GLP itself. This attack vector cannot play out on Vesta as only sGLP is accepted, but no wrapped or derivative versions of GLP.
The cap utilization of gOHM and sGLP remain significant at 89.4% and 99.3% respectively.
The VAR for the worst day simulation stands at zero. All current MCRs are well above the recommended levels.
The ratio of $VST to FRAX in the VST-FRAX pool remains around 2:1.
gOHM remains the #1 collateral asset accounting for $14m or 53% of total collateral base, followed by sGLP which increased by $1.6m to $8.5m (32% of total collateral).