Lodestar Finance, a lending protocol on Arbitrum, got exploited for $6.5m on 10 December. At the center of the attack was a vulnerability of the GLPOracle which enabled the exploiter to inflate the value of plvGLP and drain the lending market’s available liquidity.
The attack was highly complex and involved a number of transactions, including 8 flashloans worth c. $70.5m. The attacker deposited USDC as collateral on Lodestar, loop-borrowed plutus staked GLP (plsGLP) and then lent it for iplsGLP. In the process, the attacker managed to grow the difference between plsGLP and GLP which was arbitraged for profit.
According to Certik, the Oracle vulnerability is as follows:
By manipulating the exchange ratio, the attack was able to push up the price by 1.7x. Certik’s detailed analysis can be found here. Lodestar also published a summary on the events and expects to recover $2.4m in lost funds.
The exploit focused on the exchange ratio of Plutus staked GLP, a wrapped version of GLP, but not on GLP itself.
Gearbox’s only accepted wrapped collateral tokens are WETH, WBTC & wstETH which are standardized. Hence the attack vector from the Lodestar exploit cannot be reproduced.
There was relatively little FUD wrt stablecoins this week.
GUSD liquidity went up to $15.8m from $8.7m. sUSD backing decreased slightly from 486% to 456% and LUSD backing increased to 250%.
LUSD liquidity hovers around the $50m-mark. The other stablecoins remained largely unchanged.
Total pool decreased slightly to $18.6m. yvDAI was the biggest loser with a decrease of $1.3m to $3.7m followed by DAI (-$1m to $0.3m) and stkcvxLUSD3CRV-f (-$0.9m to $1.2m). Notable increases were booked for stkcvxgusd3CRV (+$1.4m to $2.8m) and stkcvxcrvPlain3andSUSD (+$0.8m to $9.7m).
The pool remains predominantly collateralized by stablecoins.
Total pool collateral increased from $29.4m to $32.2m. The main increase comes from stkcvxcrvPlain3andSUSD (+$7m to $16.3m). Most other collateral tokens saw a decrease.
This pool also remains large backed by stablecoin assets.
The pool experienced an increase from $22.3m to $24.1m, driven by stkcvxsteCRV
(+$1.4m) & stETH (+$1m). yvWETH decreased from $4.7m to $4m.
The pool remains collateralized by mostly ETH or staked ETH assets.
No material change compared to the previous week.
Total pool assets and borrow volume dropped to $0.95m and $0.79m, respectively. The pool saw outflows of the remaining yvCRV-stETH and is now entirely collateralized by stkcvxsteCRV.
Current risk parameters are on par with our models.
We continue to closely monitor stablecoin liquidity.
Additional stats, updated daily, are available in our dashboard at https://gearbox.riskdao.org/