Lodestar Finance Collateral Price Manipulation
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Lodestar Finance is a decentralized borrowing and lending protocol designed for the Arbitrum community. The platform allows users to earn interest on their assets by supplying them to the protocol and collateralizing their deposits. The protocol is based on Compound and has made modifications to support Arbitrum, DPX, MAGIC, and plvGLP. It relies on Chainlink Oracles for accurate pricing, except for plvGLP. Recently, Lodestar fell victim to an attack where an attacker manipulated the plvGLP price reported by the GLPOracle contract, resulting in the draining of the lending pools and extracting a profit of approximately $6.5 million. The incident caused a significant drop in the token price and total value locked (TVL). No plans for reparations have been announced.
About Lodestar Finance
Lodestar Finance is an algorithmic borrowing and lending protocol focused on decentralized money markets in Arbitrum communities. It aims to provide decentralized lending services to emerging communities like Treasure, Dopex, and Plutus, benefiting token holders and DAOs. The platform allows users to earn interest by supplying assets like MAGIC, DPX, and plvGLP to the protocol and collateralizing their deposits. It enables borrowing of crypto assets, access to liquidity without triggering taxable events, and leveraged trading strategies. Lodestar plans to partner with more communities as the Arbitrum ecosystem evolves, aiming to support layer 2 native communities that lack access to critical DeFi infrastructure. One of its collateral assets is plvGLP, which represents locked GLP from Plutus DAO. Built as a Compound fork, Lodestar has added code to support changes, including Arbitrum integration, support for DPX, MAGIC, and plvGLP, modifications to interest models, and other adjustments.
There were some interesting warning signs which would have been visible prior to the exploit.
History of Price Manipulation Attacks
As Rekt explains in their description, price manipulation is not a new technique.
"Manipulating the price of collateral has been a popular attack technique since the beginning of DeFi, but especially in recent times, as this incident follows the attacks on both Mango and Moola Markets, who lost $115M, and $8.4M respectively, in October."
The Lodestar Finance team provides a disclaimer on their Security page, which was present at the time of the attack. The disclaimer specifically makes mention of the use of Chainlink, except for the plvGLP asset, which could be interpreted as an invitation for an attacker to look for a potential vulnerability.
Caution should be exercised when interacting with any smart contract or blockchain application. There is always risk of vulnerabilities in smart contract code, and while the codebase we launching with is incredibly battle-tested and we are relying on Chainlink Oracles for accurate pricing (with the exception of plvGLP), there are still always risks. We have attempted to mitigate them through extensive unit and integration testing, leaning on the community for beta testing, along with ongoing bug bounties, but there is still always going to be an inherent smart contract risk and market risks while using the protocol.
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
|December 10th, 2022 9:43:26 AM MST||Exploit Transaction||One of the exploit transactions on the blockchain. TBD further analysis.|
|December 10th, 2022 2:03:00 PM MST||Solidity Finance Report||Solidity Finance publishes a technical analysis of the exploit on Twitter.|
|December 10th, 2022 2:14:00 PM MST||Lodestar Finance Announcement||Lodestar Finance reports on Twitter that they've set all interest rates to 0 while they weight options. They also provide some details on the exploit which occurred.|
|December 10th, 2022 2:56:00 PM MST||Lodestar Finance Message To Attacker||Lodestar Finance posts a specific plea to the attacker on Twitter, requesting they "reach out" to "find a white-hack agreement" and offering to "generously reward" the "collaboration".|
|December 11th, 2022 1:24:00 AM MST||CertiK Incident Report||CertiK posts an announcement on Twitter about the exploit "resulting in a ~$6.5m profit for the exploiter" and notes that "[t]he team has set interest rates to 0 so that supply and borrow balances will not move".|
|December 11th, 2022 4:18:00 AM MST||Post Mortem Summary||The Lodestar Finance team shares a post-mortem summary of the exploit. They mention that the attacker has "thus far not responded" to their requests to negotiate a bug bounty and they are proceeding with a recovery plan based on the 2,720,000 GLP from the plvGLP contract.|
|December 12th, 2022||Rekt Publishes Article||Rekt publishes an article on the situation.|
|December 17th, 2022 12:11:00 PM MST||List of Affected Users Published||As part of the recovery plan, Lodestar publishes a list of affected users to their Twitter and requests others to ensure they are present on the list.|
|March 8th, 2023 5:03:21 PM MST||Audit Competition Launched||Lodestar Finance launches an audit competition. "In this competition, participants from all over the world will be searching for vulnerabilities in the Lodestar Finance contract directory, with prizes awarded based on the severity of each vulnerability found."|
|March 22nd, 2023 12:00:00 PM MDT||Crowd Audit Completed||The audit was completed and reportedly "No critical bug putting funds at risk was reported, while 18 medium improvements were reported and 2 gas optimisations".|
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"Using flash loans, the attacker manipulated the plvGLP price reported by Lodestar’s GLPOracle contract, allowing them to “borrow” all the funds supplied on the platform." "[T]he attacker [drained] their lending pools for a profit of ~$6.5M."
"Solidity Finance summarised the root cause: The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token."
"343 ETH ($430k) necessary for the attack was bridged from Polygon three months [prior to the attack]."
Solidity Finance Technical Analysis
@LodestarFinance has suffered an exploit as a result of an 8-figure flash loan attack.
We have been investigating and discussing with them & the @PlutusDAO_io team, as Plutus was used in the exploit, but not exploited.
The root cause of the exploit comes down to the way the Lodestar GLPOracle was constructed; specifically how it obtained the price of plvGLP.
The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token.
The attacker flashborrowed a large sum of funds and manipulated the price on the GLPOracle to increase the value of their collateral far beyond realistic values.
As a result of this they were able to borrow more than they should have based upon the true value of their collateral.
In this case, the attacker borrowed nearly all of the assets on the platform, leaving the protocol with bad debt.
These events highlight that utilizing oracles resistant to manipulation is a critically important piece of DeFi, especially in protocols which lend out user assets.
Lodestar Finance Technical Analysis
The Lodestar Finance tweet announcing the breach included a technical analysis:
Protocol was exploited and deposits have been drained. We have set all interest rates to 0 so that supply and borrow balances are not moving while we weigh recovery options. What we know right now:
1. An attacker manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, an exploit that by itself would be unprofitable.
2. They supplied plvGLP collateral to lodestar and borrowed all available liquidity.
3. They cashed out what they could but our collateralization ratio mechanism prevented them from fully cashing out the plvGLP.
4. After the hack several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP.
5. The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar - minus the GLP they burned.
6. 2.8 Million of the GLP is recoverable, which is worth about $2.4 million. We are going to reach out to the hacker and see if we can negotiate a bug bounty to recover more funds.
7. If you are the hacker, we will be reaching out to you on Debank at [three addresses provided].
They also provided some additional detail and summary in their post-mortem.
The TLDR of the exploit is that the attacker was able to manipulate the plvGLP oracle price by creating a large plvGLP collateral position using flash loans first, donating GLP to the plvGLP contract which caused an instantaneous change in the price, that was then compounded through their loops allowing them to borrow more than they should have been allowed. Because the price can change within the same block, it made this possible. The donation function is not unique to plvGLP and is possible with other standard vault contracts by depositing tokens. The oracle design needs to be completely rethought. Not accounting for the donated GLP would have prevented this but would have also resulted in inaccurate pricing as legitimately donated GLP actually underlies plvGLP. To prevent the exploit the oracle can’t be allowed to undergo instantaneous change within the same block.
CertiK Report And Technical Analysis
CertiK published a detailed analysis of the exploit on Twitter.
Lending platform @LodestarFinance was attacked resulting in a ~$6.5m profit for the exploiter. The team has set interest rates to 0 so that supply and borrow balances will not move.
The hacker manipulated the exchange rate of plvGLP token to 1.83 GLP per plvGLP. The attacker used the inflated assets as collateral on @LodestarFinance to remove all available liquidity via bad debt.
The hacker burned ~3m GLP, resulting in a profit of ~$6.5M which was bridged to Ethereum and distributed to 3 EOAs.
@LodestarFinance announced that they may be able to recover an 2.8M GLP (~$2.4M) of the stolen funds.
Lodestar has made an announcement directed at the hacker, in an attempt to make a white-hat agreement. At this time, the exploiter has not answered Lodestar's negotiation efforts.
Total Amount Lost
The total amount lost has been estimated at $6,500,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"The incident saw the token LODE dump by ~70% and TVL drop to just $11."
"Following the exploit, the funds were swapped to ETH, bridged back to mainnet and dispersed to multiple addresses."
Lodestar Finance Initial Actions/Announcement
Lodestar Finance updated interest rates to 0 to prevent balances from moving. They then posted an announcement to their community on Twitter with a technical analysis of the exploit and plans to reach out to the attacker. This was followed up with a more specific Tweet to the attacker.
If you are the hacker, reach out to us so we can find a white-hat agreement and move on. Recovering the funds of our users is the main priority and we will generously reward your collaboration.
The events were used to discredit blockchain in general.
If you play with criminals, you get crimed. It should have been abundantly clear 10 years ago that crypto is a haven for criminals. Cut your losses. Get out of that business, find something else... like tulips. At least if they go bust you'll still have the flowers.
Others mentioned that they believed the attacker should cooperate.
These hackers often get caught, sometimes years later, once they try to convert stolen crypto into cash. Much easier and safer for the hacker to return funds and still profit, without having to worry about hiding for the rest of their life.
And one tried to get interest in decentralized insurance.
We are sorry for the unfortunate incident and hope you will be able to recover your funds with minimal loss. Please consider decentralized insurance as an alternative in the future.
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
"two days have now passed since the initial attack on Lodestar, and no mention of any planned reparations has yet been made."
Victim List Published December 17th
Bug Bounty And Crowd Audit
To further bolster our security measures, we have implemented a crowd audit and bug bounty competition in partnership with Hats Finance (https://hats.finance/). This program invited security researchers and white-hat hackers to review our code and identify any potential vulnerabilities to earn bounties.
In this competition, participants from all over the world will be searching for vulnerabilities in the Lodestar Finance contract directory, with prizes awarded based on the severity of each vulnerability found.
No critical bug putting funds at risk was reported, while 18 medium improvements were reported and 2 gas optimisations
The team is also reportedly considering launching a bug bounty program through ImmuneFi.
This protocol is offered as is without warranty. All smart contract-based apps carry inherent risks, and you alone are responsible for the consequences of these risks. By entering the app you agree that you understand these risks, including the potential to lose your entire deposit and further agree to release Lodestar and hold it harmless from all potential claims based on Lodestar's own negligence. All persons from OFAC sanctioned nations are barred from using any Lodestar service. All US persons are barred from staking related services. By entering the app you are asserting that you are compliant with these restrictions and acting lawfully according to your local jurisdiction.
Smart Contract Audit Obtained
Following the attack, Lodestar Finance obtained an audit from Solidity Finance. This audit identified several findings and made corresponding recommendations. The findings include issues with the GLPOracle and SushiOracle contracts, which could lead to price manipulation and borrowing of excessive assets. The audit also highlighted informational findings related to the ComptrollerG7, ComptrollerNoGov, WhitePaperInterestRateModel, JumpRateModel, and JumpRateModelV2 contracts, suggesting improvements or updates. The contracts were reviewed for reentrancy attacks and found to be safe. The audit provides an overview of the contracts, including the Comp Contract, Unitroller Contract, Comptroller Contract, CToken Contract, WhitePaperInterestRateModel, JumpRateModel, JumpRateModelV2 contracts, GovernorAlpha Contract, and GovernorBravo Contract, explaining their functionalities and features. The audit report concludes that some issues have been resolved by the team, while others require further attention and implementation of the recommended changes.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
"two days have now passed since the initial attack on Lodestar, and no mention of any planned reparations has yet been made."
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
- Lodestar Finance (May 5, 2023)
- Lodestar Finance - Docs (May 5, 2023)
- Rekt - Lodestar Finance - REKT (May 5, 2023)
- Security - Lodestar Finance Docs Archive February 2nd, 2023 9:14:06 PM MST (May 24, 2023)
- Arbitrum Exploit Transaction - Arbiscan (May 5, 2023)
- Solidity Finance - "@LodestarFinance has suffered an exploit as a result of an 8-figure flash loan attack." - Twitter (May 24, 2023)
- SolidityFinance - "The GLPOracle did not properly take into account the impact of a user calling donate() on the GlpDepositor contract, which inflates the assets of the GlpDepositor contract, and therefore the oracle-delivered price of the plvGLP token." - Twitter (May 5, 2023)
- Lodestar Finance - "Protocol was exploited and deposits have been drained. We have set all interest rates to 0 so that supply and borrow balances are not moving while we weigh recovery options." - Twitter (May 5, 2023)
- Lodestar Finance - "If you are the hacker, reach out to us so we can find a white-hat agreement and move on." - Twitter (Jun 5, 2023)
- Lodestar Finance Incident Analysis - CertiK Blog - Web3 Security Leaderboard (May 5, 2023)
- CertiKAlert - "Lending platform @LodestarFinance was attacked resulting in a ~$6.5m profit for the exploiter. The team has set interest rates to 0 so that supply and borrow balances will not move." - Twitter (May 5, 2023)
- Lodestar Finance - "We just published a summary Post-Mortem of yesterday's exploit" - Twitter (Jun 5, 2023)
- Post Mortem Summary - Lodestar Finance (Jun 5, 2023)
- Lodestar Finance - "If you were a victim of the Lodestar exploit, please make sure your address is present on this list" - Twitter (Jun 5, 2023)
- Lodestar Finance Audit Competition - Hats Finance Medium (Jun 19, 2023)
- Security - Lodestar Finance Docs (May 5, 2023)
- Lodestar Exploiter Address - Arbiscan (May 5, 2023)
- Jason C Daniels - "If you play with criminals, you get crimed. It should have been abundantly clear 10 years ago that crypto is a haven for criminals. Cut your losses. Get out of that business, find something else..." - Twitter (May 24, 2023)
- Austin Brown - "These hackers often get caught, sometimes years later, once they try to convert stolen crypto into cash. Much easier and safer for the hacker to return funds and still profit, without having to worry about hiding for the rest of their life." - Twitter (Jun 5, 2023)
- Uno Re - "We are sorry for the unfortunate incident and hope you will be able to recover your funds with minimal loss. Please consider decentralized insurance as an alternative in the future." - Twitter (Jun 5, 2023)
- Lodestar Finance Audit - Solidity Finance (May 24, 2023)