Lodestar Finance plvGLP Manipulation

On December 10, 2022, the Arbitrum lending platform Lodestar Finance was exploited for approximately $6.5 million through a manipulation of the plvGLP (Plutus-locked-GLP) token's oracle. The attacker used eight flash loans totalling ~$70.5 million and exploited the fact that Lodestar's oracle did not account for a public donate() function on the underlying GlpDepositor contract that inflated the assets without minting new shares.

What happened

Lodestar accepted plvGLP — a wrapped/locked version of GMX's GLP token managed by Plutus — as collateral. The protocol's oracle calculated plvGLP's price from the GlpDepositor contract's reported assets, dividing by the total supply of plvGLP tokens.

The fatal omission: the donate() function on the GlpDepositor contract let anyone send GLP directly to the contract without minting any new plvGLP shares. The oracle, reading "assets divided by supply," interpreted donated GLP as a proportional increase in plvGLP's value per share — even though the donation didn't actually benefit existing plvGLP holders.

The attack:

1. Flash-borrowed ~$70.5M across eight separate loans.
2. Donated a large amount of GLP directly to the GlpDepositor contract via donate(), inflating its assets without creating new plvGLP shares.
3. The Lodestar oracle, reading the inflated assets-to-supply ratio, recalculated the plvGLP exchange rate at 1.83 GLP per plvGLP — 83% above the legitimate rate.
4. Deposited plvGLP as collateral at the inflated valuation.
5. Borrowed every available asset Lodestar had to lend — USDC, ETH, BTC, etc. — against the over-valued collateral.
6. Walked away without repaying, leaving the protocol with worthless inflated-value plvGLP as the only backing for the stolen loans.
7. Repaid the flash loans and pocketed the difference: ~$6.5M.

Aftermath

• Lodestar paused affected markets within hours.
• The team announced that approximately $2.4M of the stolen GLP was recoverable through Plutus' cooperation; this was distributed back to depositors as partial reimbursement.
• The remainder was laundered through Tornado Cash and similar routes.
• The exploit accelerated industry-wide recognition of donation attacks as a critical oracle-design vulnerability for any token whose price is computed from a contract that accepts arbitrary deposits.

Why it matters

Lodestar's incident is a clean case study for the donation attack vulnerability class — a pattern that recurs everywhere a price oracle reads "assets divided by supply" from a contract that someone can donate to without minting shares:

• Hundred Finance (Apr 2023) — donation attack on Compound v2 fork.
• Sonne Finance (May 2024) — donation attack on Compound v2 fork.
• Lodestar (Dec 2022) — donation attack via Plutus' GlpDepositor.

The defensive patterns:

1. Use cached or time-weighted oracle reads rather than instantaneous "assets divided by supply" calculations.
2. Verify that the underlying contract's balance changes match its share changes — any deposit that does not mint shares should not move the oracle.
3. Audit each new collateral asset's oracle dependencies, including any function on the underlying that can move balances independently of share issuance.

The Lodestar pattern has been re-learned so many times that it's now on essentially every DeFi audit checklist; protocols that still ship with the vulnerability are either auditing inadequately or skipping audits on collateral additions.