Hacks and abuse were made against Lodestar Finance, an Ethereum lending platform. The attacker burned approximately 3 million GLP, resulting in a profit of about $6.5M. But the company that was hurt declared that they might be able to get back 2.8 million GLP of the money that was taken.
The plvGLP token exchange rate was successfully manipulated by the exploiter to 1.83 GLP for every plvGLP, making it 83% more valuable than it should have been. The exploiter then used bad debt to withdraw all of the liquidity on Lodestar Finance while using the inflated tokens as collateral.
1. An attacker manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, an exploit that by itself would be unprofitable.
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022
2. They supplied plvGLP collateral to lodestar and borrowed all available liquidity.
An individual took out several flashloans totaling $70.5 million and deposited them on GMX. They then pooled their assets together and swapped them for USDC, depositing roughly $70 million onto the platform. From there, they borrowed PlsGLP and lent it to receive IplsGLP, potentially allowing them to gain control of the entire supply. The supply of sGLP increased by almost 1.68x as a result, and the individual borrowed the rest of the assets, leaving the protocol with bad debt. They repaid all flashloans with interest and redeemed their assets for 4527 ETH, worth around $5.8 million.
According to Lodestar Finance, other holders of plvGLP were able to profit from the exploit by cashing out 1.83 GLP per plvGLP. Lodestar claims that 2.8 million GLP, worth $2.4 million at the time, can be recovered. The company is also working on reaching an agreement with the exploiter.
