Lodestar Finance: Oracle Price Manipulation (LP Token Donation)
Lodestar Finance lost $6.5M when an attacker used flash loans and an open `donate()` function to inflate the Lodestar custom oracle price for plvGLP collateral, then borrowed all protocol liquidity against the inflated value.
Summary #
Lodestar Finance suffered a Lending / Money Market on 2022-12-10, resulting in a loss of approximately $7M.
What happened #
Lodestar Finance lost $6.5M when an attacker used flash loans and an open `donate()` function to inflate the Lodestar custom oracle price for plvGLP collateral, then borrowed all protocol liquidity against the inflated value.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited custom oracle code]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — team asked hacker to negotiate white-hat]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — GLPOracle price inflation detectable via `donate()` call monitoring]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound fork]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound fork]