Arbitrum’s Lodestar Finance hit with $6.9m flash loan attack

Lodestar Finance, an Arbitrium-based DeFi lending protocol on December 10 (Saturday) was hit by a flash loan attack, resulting in a reported loss of $6.9 million. Per data from  Dune Analytics, an open access site of crypto dashboards,, tt]he event has caused the total locked value to be drained to $21.0 at the time of writing. 

The hacker used flash loans to exploit a vulnerability in the plvGLP contract and manipulated the exchange rate to 1.83 GLP per plvGLP. Subsequently, the attacker then borrowed all liquidity by supplying inflated plyGLP collateral, as explained in a twitter thread by Lodestar Finance.

“They cashed out what they could but our collateralization ratio mechanism prevented them from fully cashing out the plvGLP,” the DeFi platform added. “After the hack several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.”

The hacker burned roughly 3 million in GLP. Their profit on this exploit was the stolen funds on Lodestar minus the GLP they burned. Some 2.8 Million (~$24 million) of the GLP is recoverable, noted the team. 

Smart contract auditor Solidity Finance has published its findings from an investigation on the incident, stating that the attack was caused by Lodestar’s implementation of the GLP oracle, which is used to determine plvGLP pricing. 

The root cause of this hack arises from exploits present in the underlying smart contract, which has not been audited. PlutusDao, whose product plvGLP was used on this lending platform, also issued an official statement stating that plvGLP is not at fault and funds on Plutus are completely safe.

DeFi protocols are prone to flash loans and other hacks. Flash loans, popular in DeFi, allow users to borrow assets without providing any collateral, only to return the loan in a single transaction. This makes flash loans particularly attractive to hackers who are growing increasingly sophisticated in their oracle manipulation attacks.

According to Privacy affairs, a cybersecurity and data privacy firm, during the first 11 months of 2022, $4.3 billion worth of cryptocurrency have been stolen. In Q2 2022, 27 flash loan attacks resulted in a loss of over $308 million. 

Earlier this year, Ethereum DeFi protocol Beanstalk lost $182 million to a flash loan attack. In October, another flash loan attack on the Solana-based trading platform Mango Market also resulted in a loss of $100 million.

Lodestar Finance is looking to negotiate a white-hat agreement with the hacker, as announced on Twitter. White-hat agreements have been a growing trend, aiming to reach a consensus with hackers, awarding them with partial stolen funds for exposing exploits in the smart contract. This gives projects the opportunity to recover remaining users’ funds. 

About The Author