Join ACCESS EU, the first-of-its-kind digital assets security and DLT summit
JUNE 7TH, 2024 @ EURONEXT AMSTERDAM ⟶
Halborn Logo

// Blog

Explained: Hacks

Explained: The Lodestar Finance Hack (November 2022)


profile

Rob Behnke

December 13th, 2022


In November 2022, Lodestar Finance, a DeFi project hosted on Arbitrum, was the victim of an attack.  A price manipulation attack against the lending platform allowed the attackers to drain $7 million from the platform.

Inside the Attack

The Lodestar Finance attacker exploited a vulnerability in how the protocol’s price oracle tracked updates.  Prices can change within a single block based on donations to the protocol.  As a result, the project was vulnerable to a flash loan attack.

The attacker took out flashloans for a total of about $70 million and after converting some WETH loans to UDSC deposited them into Lodestar.  After this deposit, the attacker repeatedly took out loans from the platform and then loaned out the borrowed tokens.  This allowed the attacker to collect nearly the entire supply of IplsGLP.

By donating assets to the platform, the attacker disrupted the perceived value of assets within the project’s pool.  As a result, the attacker was able to take out a loan for all of the liquidity stored within the pool.  The resulting exchange rate of 1.83 GLP per plvGLP allowed the attacker to cash out at a significant profit.  In total, approximately $7 million in tokens was drained from the platform.

Lessons Learned From the Attack

The Lodestar Finance hack was made possible by a vulnerable calculation of token prices.  By allowing prices to be updated within a single block, the protocol was vulnerable to price manipulation attacks.

This type of price manipulation attack is common, and insecure price calculations can be identified by performing a smart contract security audit before launch.  To learn more about how to protect your contracts from attack, reach out to our smart contract auditors at halborn@protonmail.com.