According to a tweet from CertiK Alert, flash loan assaults in December 2022 resulted in losses of over $7.6 million, up from about $5.2 million in losses in November.
The plvGLP token exchange rate was successfully manipulated by the exploiter to 1.83 GLP for every plvGLP, making it 83% more valuable than it should have been. The exploiter then used bad debt to withdraw all of the liquidity on Lodestar Finance while using the inflated tokens as collateral.
The exploiter obtained all of the 14,960 ETH (loaned) to GMX by taking out 8 Flashloans totaling $70.5 million. To begin the ultimate exploit process, the exploiter pooled the WETH (14,960) million together and extended to GMX, where he exchanged the WETH for 19,001,512 USDC and roughly $70 on the platform.
Due to the increase in the plvGLP/GLP exchange rate to 1.00:1.83, the exploiter was able to borrow additional money against the protocol's assets.
The platform's liquidity quickly ran out as a result of the borrowings, prompting the hacker to remove the money from Lodestar and leaving clients with bad debt. The exploiter is believed to have made a total profit of $6.5 million (the token's current value) through the attack vector.
The next company is Elastic Swap, which runs on the Avalanche C-Chain platform and suffered losses of $374,000 as a result of the mid-December flashloan assault. The underlying source of the vulnerability is the usage of two different accounting systems in the erroneous computations for adding and removing liquidity from contracts.
Relative losses were reported by the remaining platforms. It is evident that there are still several openings for attacks in the existing DeFi sector. Decentralization and anonymity are two features of DeFi that make it strong. But flashloan attacks will continue to happen if the aforementioned obstacles are not removed.