LODESTAR FINANCE

DESCRIPTION OF EVENTS

"Lodestar Finance is an algorithmic borrowing and lending protocol that is aiming to bring the critical DeFi primitive of decentralized money markets to Arbitrum communities." "Lodestar brings the critical DeFi primitive of decentralized money markets to Arbitrum cryptocurrencies like MAGIC, DPX, and plvGLP."

"The mission of Lodestar Finance is to bring decentralized lending services to blossoming Arbitrum communities like Treasure, Dopex, and Plutus to create new value for token holders and DAOs."

"Earn interest on Arbitrum assets like MAGIC, DPX, and plvGLP by supplying them to the protocol. Collateralize your deposit, which enables the ability to borrow crypto assets. Access liquidity without creating a taxable event. Employ leveraged trading strategies (long and short positions) by utilizing the borrowing functionalities of the protocol. Unlock the liquidity of yield bearing assets such as plvGLP without sacrificing the underlying yield."

"As the Arbitrum ecosystem continues to develop, we will be on the lookout for more communities to partner with and create value for layer 2 native communities that lack access to critical DeFi infrastructure."

"Among Lodestar’s collateral assets is the yield-bearing plvGLP, representing GLP locked in Plutus DAO’s vault."

"Lodestar is a Compound fork at the core, and Compound has some of the most battle-tested contracts in all of DeFi. We have added code to support a few changes we have made, namely adding Arbitrum support, DPX, MAGIC and plvGLP support, tweaking some Interest Models, and a few other small changes."

"The Lodestar docs state that:" "we are relying on Chainlink Oracles for accurate pricing (with the exception of plvGLP)"

"Manipulating the price of collateral has been a popular attack technique since the beginning of DeFi, but especially in recent times, as this incident follows the attacks on both Mango and Moola Markets, who lost $115M, and $8.4M respectively, in October."

"343 ETH ($430k) necessary for the attack was bridged from Polygon three months ago."

"Using flash loans, the attacker manipulated the plvGLP price reported by Lodestar’s GLPOracle contract, allowing them to “borrow” all the funds supplied on the platform." "[T]he attacker [drained] their lending pools for a profit of ~$6.5M."

"Solidity Finance summarised the root cause: The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token."

"The incident saw the token LODE dump by ~70% and TVL drop to just $11."

"Following the exploit, the funds were swapped to ETH, bridged back to mainnet and dispersed to multiple addresses."

"two days have now passed since the initial attack on Lodestar, and no mention of any planned reparations has yet been made."

Explore This Case Further On Our Wiki

Lodestar Finance is a decentralized borrowing and lending protocol designed for the Arbitrum community. The platform allows users to earn interest on their assets by supplying them to the protocol and collateralizing their deposits. The protocol is based on Compound and has made modifications to support Arbitrum, DPX, MAGIC, and plvGLP. It relies on Chainlink Oracles for accurate pricing, except for plvGLP. Recently, Lodestar fell victim to an attack where an attacker manipulated the plvGLP price reported by the GLPOracle contract, resulting in the draining of the lending pools and a profit of approximately $6.5 million. The incident caused a significant drop in the token price and total value locked (TVL). As of now, no plans for reparations have been announced.

Rekt - Lodestar Finance - REKT (May 5)
@lodestarfinance Twitter (May 5)
Security - Docs (May 5)
@SolidityFinance Twitter (May 5)
Lodestar Finance Incident Analysis - Blog - Web3 Security Leaderboard (May 5)
Lodestar Exploiter | Address 0xc29d94386ff784006ff8461c170d1953cc9e2b5c | Arbiscan  (May 5)
Arbitrum Transaction Hash (Txhash) Details | Arbiscan  (May 5)
Lodestar Finance (May 5)
Lodestar Finance - Docs (May 5)

More case studies

Minswap Front-Running
Swap Orders

Raydium Private
Key Compromised