Post Mortem Summary

Our one and only priority at this time is doing the most we can to do right by our community. This is a bad situation and options are limited. The attacker has thus far not responded to our requests to negotiate a bug bounty. The Lodestar team is going to base our recovery plan off the approximately 2,720,000 GLP that is recoverable from the plvGLP contract. We have confirmed with the Plutus team that these funds are recoverable and that they will make them accessible for us to negotiate with the hacker and to repay depositors. We will provide those details when they become available. In the meantime we will continue to try to reach out to the hacker and see if we can reach an agreement to return more of the user’s funds.

We have completed a script to run that will catalog the losses suffered by each account.

The TLDR of the exploit is that the attacker was able to manipulate the plvGLP oracle price by creating a large plvGLP collateral position using flash loans first, donating GLP to the plvGLP contract which caused an instantaneous change in the price, that was then compounded through their loops allowing them to borrow more than they should have been allowed. Because the price can change within the same block, it made this possible. The donation function is not unique to plvGLP and is possible with other standard vault contracts by depositing tokens. The oracle design needs to be completely rethought. Not accounting for the donated GLP would have prevented this but would have also resulted in inaccurate pricing as legitimately donated GLP actually underlies plvGLP. To prevent the exploit the oracle can’t be allowed to undergo instantaneous change within the same block.

The exploit that occurred is summarized here, a full post mortem is still in the works. We want to provide the available information we have at this time. Thank you to Solidity.finance and Certik for these summaries and other auditors who reached out to us in our time of need to help us figure out what happened.

Solidity.finance:

https://twitter.com/SolidityFinance/status/1601684150456438784

Certik:

Attack Flow

The exploiter took out 8 flashloans worth roughly $70.5 million dollars. The exploiter then deposited all the loaned ETH (14,960) to GMX to start the ultimate exploit process. They received an extremely

high price and had close to the entire supply. The protocol was left with bad debt due to the price in how GLP was calculated.

1. Exploiter took out 8 loans

a. 17,290,000 USDC

b. 9500 WETH

c. 4067,721 DAI

d. 14,435,000 USDC

e. 5,460 WETH

f. 7,170,000 USDC

g. 2,200,000 USDC

h. 10,000,000 USDC

2. The exploiter then pools the WETH(14,960) together and withdraws and deposits to

GMX.

3. Exploiter swaps 14,960 WETH for 19,001,512 USDC

4. Exploiter then deposits roughly 70m onto the platform which then starts the bankrun onLodeStar.

5. Exploiter then borrows PlsGLP and lends the PlsGLP to receive IplsGLP they do this repeatedly until they control more or less the entire supply.

6. After the function donate(), the assets are inflated by the amount donated and completely disrupts the price of the assets in the pool and allows the protocol to be drained. This increases the supply of sGLP by almost 1.68x.

7. After asset prices are pushed up, the attacker then borrows the rest of the assets leaving the protocol with bad debt.

8. All flashloans were then repaid back with interest before redeeming the underlying assets for 4527 ETH in the next two transactions.

9. Now that the exchange rate is ruined the exploiter then practically doubles their plvGLP for plsGLP (9,651,000 tokens).

a. 9,651,000 tokens are sent to vault

b. The tokens are then burned and the rebate is sent to the vault. (34k plvGLP)

c. 104,000 tokens are removed from the transactions for staking.

d. Remaining 9,812,000 fsGLP tokens are then sent to exploiter

10. In the remaining exploit transactions the exploiter then redeems the underlying asset (fsGLP) for roughly 4527 ETH (5,800,000 USD)

Vulnerability

The main vulnerability is inside of GLPOracle and how it conducts its price. The price of the oracle is defined by the following equations:

1. GLPPRICE = GLPVALUE / GLPSUPPLY

2. plvGLPexchangerate = totalassets / totalsupply

3. Price of PlvGLP = plvGLPexchangerate * GLPPRICE / Constant value

As the totalassets increase the plvGLPexchangerate grows larger. Therefore the Price of PlvGLP increases. Therefore when the attacker updates totalassets by calling the donate function they are able to push the price of PlvGLP higher by donating their sGLP.

The following function allows for price manipulation of PLVGLP at the cost of the User giving up their GLP for pushing the price up