- Hacker artificially inflated the value of the plvGLP token used on the PlutusDAO platform.
- The attacker borrowed all available liquidity and cashed out a portion of the money.
On December 10th, a flash loan attack was conducted using the Arbitrum-based Lodestar Finance lending protocol. An attacker, as reported by Lodestar, artificially inflated the value of the plvGLP token used on the PlutusDAO platform. And then used that token to drain the platform dry of all available liquidity.
Lodestar detailed the assault process in a series of tweets. The attacker started by driving the plvGLP contract exchange rate to 1.83 GLP per plvGLP. “An exploit that by itself would be unprofitable,” according to the firm.
Bug Bounty Proposed
After providing Lodestar with plvGLP collateral, the attacker borrowed all available liquidity and cashed out a portion of the money “until the collateralization ratio mechanism prevented a full liquidation of the plvGLP.”
There were “several plvGLP holders” who “also cashed out at 1.83 glp per plvGLP” after the breach. Furthermore, it was mentioned on the DeFi platform that the hacker made a profit on the “stolen funds on Lodestar – minus the GLP they burned.” This amounts to a little over 3 million GLP.
The perpetrator netted almost $5.8 million. Lodestar claims that 2.81 million GLP, or around $2.4 million, is recovered and may be used to pay back investors. Moreover, a bug reward is being discussed between the firm and the person responsible for the exploit.
Lodestar’s oracle used to determine plvGLP pricing was the primary entry point for the assault. ,As the Solidity Finance audit team put it, “that utilising oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets.”
Recommended For You:
FTX Deploys a Forensic Team to Track Its Customers’ Hacked Assets