Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 116Oracle Manipulation

Lodestar Finance plvGLP Oracle

Lodestar on Arbitrum lost $6.5M after the attacker manipulated the plvGLP oracle, which read GLP pool state directly, to inflate collateral and borrow reserves.

Date
Victim
Lodestar Finance
Chain(s)
Arbitrum
Status
Funds Stolen

On December 10, 2022, the Arbitrum lending protocol Lodestar Finance lost approximately $6.5 million (some sources cite ~$6.9M) when an attacker manipulated the plvGLP exchange-rate oracle. Lodestar accepted plvGLP (Plutus's auto-compounding GLP wrapper) as collateral, and priced it by reading the GLP pool's state directly — a value the attacker could move within a single transaction.

What happened

Lodestar was a Compound-style lending market. It accepted plvGLP as collateral and derived plvGLP's USD value from the GLP token's exchange rate, which it computed by reading GMX's GLP pool state.

The fatal flaw: the plvGLP exchange-rate calculation read manipulable on-chain pool state rather than a manipulation-resistant oracle. The GLP price could be temporarily inflated by anyone with enough capital to move the relevant GMX pool.

The attack:

  1. Acquired and deposited plvGLP as collateral on Lodestar.
  2. Manipulated the underlying GLP exchange rate by interacting with the GMX GLP pool in ways that pushed Lodestar's plvGLP price reading upward.
  3. With the inflated collateral valuation, borrowed out essentially all of Lodestar's lendable reserves — USDC, ETH, and other assets — against the over-valued plvGLP.
  4. Walked away, leaving Lodestar with plvGLP collateral worth far less than the loans it backed.

Total extraction: approximately $6.5M.

Aftermath

  • Lodestar paused markets and offered the attacker a bounty for the return of funds.
  • The attacker did not engage; funds were laundered.
  • Lodestar's plvGLP market never recovered; the protocol's broader standing was significantly damaged.

Why it matters

Lodestar Finance is a clean case for the recurring rule that collateral pricing must never read manipulable pool state directly. The plvGLP/GLP valuation path was an oracle in everything but robustness — it produced a price, but a price that any well-capitalised attacker could move in the same transaction they exploited it.

The structural pattern is identical across the catalogue:

  • Cream Finance — read yUSD price from Yearn directly.
  • Vee Finance — single Pangolin pool for collateral pricing.
  • Moola Market — used internal MOO price for MOO collateral.
  • Lodestar Finance — read plvGLP/GLP exchange rate from manipulable pool state.

Each is the same lesson — the oracle is the trust boundary, and an oracle that reads spot pool state is not an oracle, it's a calculator the attacker controls — re-learned by a different protocol on a different chain (here, Arbitrum in late 2022, as the L2 DeFi ecosystem was rapidly expanding and repeating Ethereum's earlier mistakes). The defensive answer — TWAP, external feeds, deviation guards, liquidity floors — was well-documented years before Lodestar shipped.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-lodestar-finance-hack-december-2022
  2. [02]crypto.newshttps://crypto.news/defi-protocol-lodestar-finance-hacked-in-flash-loan-attack/
  3. [03]news.bitcoin.comhttps://news.bitcoin.com/hacker-steals-6-9-million-from-arbitrum-based-defi-protocol-lodestar-finance/

Related filings