According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10,
In a similar instance, CertiK said that Lodestar Finance hackers "artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt."
"Despite some of the losses being potentially recoverable, the protocol is functionally insolvent right now, and users are being urged not to repay any loans they have taken out."
The attack occurred through a vulnerability in the PlutusDAO's plvGLP token on Lodestar. According to its documentation, Lodestar "uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP." Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.
As explained by CertiK, the exploiter first funded their wallet with 1,500 Ether (ETH)
on Dec. 8, who then took out eight flashloans for a total of approximately $70 million worth of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) two days later. This drove the exchange rate of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.
The borrowings quickly consumed all liquidity on the platform, leading the hacker transfer the funds out of Lodestar and leaving users with bad debt. It is estimated that the exploiter made a total of $6.9 million in profits through the attack vector.
"While Lodestar is reaching out to the exploiter in an attempt to negotiate a bug bounty ex post facto, the funds are likely to be mostly unrecoverable. In the absence of an insurance fund that can cover the losses, users of the platform bear the cost of the exploit."
CertiK warned that the attack "is the result of flaws in the protocol's design rather than a bug in its smart contract code." The blockchain security firm further highlighted that Lodestar launched without an audit, and, therefore, without a third-party review of its protocol design.