In November 2022, Lodestar Finance, a DeFi project hosted on Arbitrum, was the victim of an attack. A price manipulation attack against the lending platform allowed the attackers to drain $7 million from the platform.
Inside the Attack
The Lodestar Finance attacker exploited a vulnerability in how the protocol’s price oracle tracked updates. Prices can change within a single block based on donations to the protocol. As a result, the project was vulnerable to a flash loan attack.
The attacker took out flashloans for a total of about $70 million and after converting some WETH loans to UDSC deposited them into Lodestar. After this deposit, the attacker repeatedly took out loans from the platform and then loaned out the borrowed tokens. This allowed the attacker to collect nearly the entire supply of IplsGLP.
By donating assets to the platform, the attacker disrupted the perceived value of assets within the project’s pool. As a result, the attacker was able to take out a loan for all of the liquidity stored within the pool. The resulting exchange rate of 1.83 GLP per plvGLP allowed the attacker to cash out at a significant profit. In total, approximately $7 million in tokens was drained from the platform.
Lessons Learned From the Attack
The Lodestar Finance hack was made possible by a vulnerable calculation of token prices. By allowing prices to be updated within a single block, the protocol was vulnerable to price manipulation attacks.
This type of price manipulation attack is common, and insecure price calculations can be identified by performing a smart contract security audit before launch. To learn more about how to protect your contracts from attack, reach out to our smart contract auditors at halborn@protonmail.com.