Verify a decision

{"actor":"system:backfill","investigation_id":"9f16c147-d747-4bcb-ad79-43f72fbaf199","kind":"publish","page_slug":"lodestar-finance","published_at":"2026-06-01T17:48:24.789Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Lodestar Finance","sections":[{"content":"On December 10, 2022, Lodestar Finance was exploited in a flash loan attack that drained nearly all protocol liquidity. The attacker obtained approximately $70.1 million across eight flash loans and used a vulnerability in the protocol's GLPOracle to artificially inflate the exchange rate of plvGLP — Plutus DAO's staked GLP derivative token — from approximately 1.07 to 1.83 GLP per plvGLP, an increase of roughly 70–83%. This inflated collateral value was then used to borrow against all available lending pools across the protocol. Total losses are reported at approximately $6.9 million, with the protocol's TVL dropping from roughly $7 million to just $11.06 after the attack. The native LODE token fell approximately 53% in 24 hours following the exploit.","heading":"December 2022 Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"DeFi Lending Platform Lodestar Finance Loses $6.9M in Oracle Exploit — Unchained","type":"news","url":"https://unchainedcrypto.com/defi-lending-platform-lodestar-finance-loses-6-9m-in-oracle-exploit/"},{"credibility":2,"name":"Lodestar Finance exploited in flash loan attack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/lodestar-finance-exploited-in-flash-loan-attack"},{"credibility":2,"name":"Hacker Steals $6.9 Million From Arbitrum-Based DeFi Protocol Lodestar Finance — Bitcoin.com News","type":"news","url":"https://news.bitcoin.com/hacker-steals-6-9-million-from-arbitrum-based-defi-protocol-lodestar-finance/"}]},{"content":"The root cause of the exploit was a flaw in how the Lodestar GLPOracle calculated the price of plvGLP. The oracle used the formula: plvGLP Price = (plvGLP.totalAssets() × GLP Price) / plvGLP.totalSupply(). By calling the donate() function on Plutus DAO's GlpDepositor contract, the attacker was able to deposit sGLP tokens into the vault without triggering the issuance of any new plvGLP tokens. This caused totalAssets to increase while totalSupply remained constant, inflating the derived exchange rate and the oracle-reported price of plvGLP by approximately 1.688 times. A critical design deficiency was that the oracle allowed prices to change within a single block — enabling the entire manipulation to occur atomically in one transaction. CertiK and Solidity Finance independently confirmed that the flaw was solely in Lodestar's oracle implementation, not in Plutus DAO's plvGLP contract itself.","heading":"Oracle Manipulation Technique","severity":"critical","sources":[{"credibility":2,"name":"Lodestar Finance Incident Analysis — CertiK","type":"onchain","url":"https://www.certik.com/resources/blog/TqTyq4vYHl8JzS7zyJye9-lodestar-finance-incident-analysis"},{"credibility":2,"name":"$6.9M Lodestar Exploit: Oracle Manipulations Through Attacking Issuance Mechanism Vulnerabilities — EigenPhi","type":"onchain","url":"https://eigenphi.substack.com/p/69m-lodestar-exploit-oracle-manipulations"},{"credibility":2,"name":"Explained: The Lodestar Finance Hack — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-lodestar-finance-hack-november-2022"}]},{"content":"plvGLP is a product of Plutus DAO that represents staked GLP — the liquidity provider token for GMX, a perpetuals exchange on Arbitrum. Plutus DAO published an official statement clarifying that its platform and smart contracts functioned as intended throughout the exploit and were not compromised. Plutus acknowledged that the donate() function in its GlpDepositor contract — which exists in standard ERC4626-style vault implementations — was the mechanism leveraged by the attacker, but that this function was a known, audited feature of plvGLP since inception. Plutus stated it was 'too eager to promote a protocol integrating plvGLP without complete audits' and committed to only promoting audited integrations going forward. Surplus GLP that remained in the plvGLP vault after the attack was designated for Lodestar depositor reimbursement.","heading":"Connection to Plutus DAO and GLP Ecosystem","severity":"high","sources":[{"credibility":2,"name":"Official Statement on the Lodestar Finance Exploit — Plutus DAO (Medium)","type":"official","url":"https://medium.com/@plutus.fi/official-statement-on-the-lodestar-finance-exploit-cf2b501647f5"},{"credibility":2,"name":"Lodestar Finance Incident Analysis — CertiK","type":"onchain","url":"https://www.certik.com/resources/blog/TqTyq4vYHl8JzS7zyJye9-lodestar-finance-incident-analysis"}]},{"content":"The attacker's primary wallet is identified on-chain as 0xc29d (with a collection address at 0xb50f...5db13). After draining Lodestar, the attacker bridged the proceeds to Ethereum mainnet and distributed them across three externally owned addresses. Lodestar publicly appealed to the exploiter via social media, stating 'If you are the hacker, reach out to us so we can find a white-hat agreement,' and offered a generous bounty for return of funds, but received no confirmed response at the time of contemporaneous reporting. No credible sources confirm that the attacker ultimately returned funds as a result of negotiation. Approximately 2.8 million GLP (roughly $2.4 million) remained in the plvGLP vault and was identified as recoverable for depositors, representing partial restitution from residual protocol assets rather than attacker cooperation.","heading":"Attacker Identity and Fund Recovery","severity":"high","sources":[{"credibility":2,"name":"Lodestar Finance attacked and drained of nearly $7 million in assets — Web3 Is Going Great","type":"news","url":"https://www.web3isgoinggreat.com/?id=lodestar-finance-attacked"},{"credibility":2,"name":"$6.9M Lodestar Exploit: Oracle Manipulations Through Attacking Issuance Mechanism Vulnerabilities — EigenPhi","type":"onchain","url":"https://eigenphi.substack.com/p/69m-lodestar-exploit-oracle-manipulations"},{"credibility":2,"name":"Hacker Steals $6.9 Million From Arbitrum-Based DeFi Protocol Lodestar Finance — Bitcoin.com News","type":"news","url":"https://news.bitcoin.com/hacker-steals-6-9-million-from-arbitrum-based-defi-protocol-lodestar-finance/"}]},{"content":"By October 2023, Lodestar used GLP assets recovered from the plvGLP vault — approximately $2.4 million — to repay roughly one-third of losses to affected depositors. In addition to direct asset recovery, the protocol allocated 750,000 esLODE (escrowed LODE governance tokens) for distribution to exploit victims. esLODE could be staked to earn a share of protocol revenue and converted to LODE linearly over one year; once staked, esLODE cannot be unstaked. A dedicated claim portal was established at claim.lodestarfinance.io. The combined recovery (GLP proceeds plus esLODE allocation) represented a partial but incomplete reimbursement. The attacker retained the majority of stolen funds.","heading":"Victim Compensation and Recovery Plan","severity":"high","sources":[{"credibility":2,"name":"Lodestar Finance — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/lodestar-finance"},{"credibility":2,"name":"Lodestar Finance Staking Documentation","type":"official","url":"https://docs.lodestarfinance.io/documentation/technical-overview/staking"}]},{"content":"Prior to the December 2022 exploit, Lodestar Finance was audited by Solidity Finance (now SourceHat). The audit did not flag the GLPOracle price manipulation vector as a critical vulnerability — it reported no critical findings, 18 medium-severity improvements, and 2 gas optimization suggestions. The exploit demonstrated that the oracle design introduced a risk category that was not adequately covered in the audit scope. Following the relaunch, Lodestar conducted an audit competition via Hats Finance and engaged additional security reviews. Plutus DAO's plvGLP product was separately audited by Solidity Finance and was not found to be at fault in the exploit.","heading":"Pre-Exploit Audit and Security Posture","severity":"medium","sources":[{"credibility":2,"name":"Lodestar Finance Smart Contract Audit — SourceHat (formerly Solidity Finance)","type":"official","url":"https://sourcehat.com/audits/LodestarFinance/"},{"credibility":2,"name":"Lodestar Finance Audit Competition — Hats Finance (Medium)","type":"official","url":"https://hatsfinance.medium.com/lodestar-finance-audit-competition-2bb3b44209a3"},{"credibility":2,"name":"Official Statement on the Lodestar Finance Exploit — Plutus DAO (Medium)","type":"official","url":"https://medium.com/@plutus.fi/official-statement-on-the-lodestar-finance-exploit-cf2b501647f5"}]},{"content":"Following the exploit and a multi-month recovery period, Lodestar Finance relaunched on Arbitrum on April 8, 2023 as Lodestar V2. The relaunched protocol attracted over $30 million in TVL (deposits plus borrows) and generated over $23,000 in interest revenue in its initial period. ARB token support was added in May 2023 following governance approval. Lodestar received an incentive grant of 325,000 ARB from the Arbitrum DAO via the STIP-Bridge program and participated in Arbitrum's STIP Round 1 with over 750,000 ARB distributed to users as liquidity incentives. The team identity remains pseudonymous or undisclosed in public-facing materials.","heading":"Protocol Relaunch and Current Operations","severity":"medium","sources":[{"credibility":2,"name":"Lodestar Finance STIP Round 1 Proposal — Arbitrum Forum","type":"official","url":"https://forum.arbitrum.foundation/t/lodestar-finance-final-stip-round-1/16981"},{"credibility":2,"name":"Lodestar Finance STIP Addendum — Arbitrum Forum","type":"official","url":"https://forum.arbitrum.foundation/t/final-lodestar-finance-stip-addendum/23355"},{"credibility":2,"name":"Lodestar Finance — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/lodestar-finance"}]},{"content":"No founders or core team members of Lodestar Finance have been publicly identified by name in any Tier 1 or Tier 2 source reviewed. The protocol operates under pseudonymous or undisclosed identities. The absence of a named, accountable team is a risk signal for users and depositors, particularly given the protocol's history of suffering a significant exploit.","heading":"Anonymous Team","severity":"medium","sources":[{"credibility":2,"name":"Lodestar Finance — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/lodestar-finance"}]}],"sources_used":[{"name":"DeFi Lending Platform Lodestar Finance Loses $6.9M in Oracle Exploit — Unchained","type":"news","url":"https://unchainedcrypto.com/defi-lending-platform-lodestar-finance-loses-6-9m-in-oracle-exploit/"},{"name":"Lodestar Finance exploited in flash loan attack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/lodestar-finance-exploited-in-flash-loan-attack"},{"name":"Hacker Steals $6.9 Million From Arbitrum-Based DeFi Protocol Lodestar Finance — Bitcoin.com News","type":"news","url":"https://news.bitcoin.com/hacker-steals-6-9-million-from-arbitrum-based-defi-protocol-lodestar-finance/"},{"name":"Lodestar Finance Incident Analysis — CertiK","type":"onchain","url":"https://www.certik.com/resources/blog/TqTyq4vYHl8JzS7zyJye9-lodestar-finance-incident-analysis"},{"name":"$6.9M Lodestar Exploit: Oracle Manipulations Through Attacking Issuance Mechanism Vulnerabilities — EigenPhi","type":"onchain","url":"https://eigenphi.substack.com/p/69m-lodestar-exploit-oracle-manipulations"},{"name":"Explained: The Lodestar Finance Hack — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-lodestar-finance-hack-november-2022"},{"name":"Official Statement on the Lodestar Finance Exploit — Plutus DAO (Medium)","type":"official","url":"https://medium.com/@plutus.fi/official-statement-on-the-lodestar-finance-exploit-cf2b501647f5"},{"name":"Lodestar Finance attacked and drained of nearly $7 million in assets — Web3 Is Going Great","type":"news","url":"https://www.web3isgoinggreat.com/?id=lodestar-finance-attacked"},{"name":"Lodestar Finance — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/lodestar-finance"},{"name":"Lodestar Finance Smart Contract Audit — SourceHat (formerly Solidity Finance)","type":"official","url":"https://sourcehat.com/audits/LodestarFinance/"},{"name":"Lodestar Finance Audit Competition — Hats Finance (Medium)","type":"official","url":"https://hatsfinance.medium.com/lodestar-finance-audit-competition-2bb3b44209a3"},{"name":"Lodestar Finance STIP Round 1 Proposal — Arbitrum Forum","type":"official","url":"https://forum.arbitrum.foundation/t/lodestar-finance-final-stip-round-1/16981"},{"name":"Lodestar Finance STIP Addendum — Arbitrum Forum","type":"official","url":"https://forum.arbitrum.foundation/t/final-lodestar-finance-stip-addendum/23355"},{"name":"Arbitrum money market Lodestar Finance exploited — The Block","type":"news","url":"https://www.theblock.co/post/193910/lodestar-finance-exploited"},{"name":"This DeFi Protocol Just Got Hacked for $6.9 Million — CryptoNews","type":"news","url":"https://cryptonews.com/news/defi-protocol-just-got-hacked-for-69-million-heres-what-happened/"}],"summary":"Lodestar Finance is an Arbitrum-based decentralized money market protocol that enables lending, borrowing, and leveraged trading against crypto collateral. On December 10, 2022, the protocol suffered a flash loan exploit in which an attacker manipulated the price oracle for the plvGLP collateral token, draining approximately $6.9 million from depositors. The protocol subsequently relaunched in April 2023 with a V2 update, partially compensating victims with recovered GLP assets and esLODE tokens, though the attacker was never identified and no confirmed negotiated return of funds occurred.","timeline":[{"date":"2022-12-10","event":"Flash loan exploit drains approximately $6.9 million from Lodestar Finance via plvGLP oracle price manipulation using the donate() function on Plutus DAO's GlpDepositor contract.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/lodestar-finance-exploited-in-flash-loan-attack"},{"date":"2022-12-10","event":"Lodestar Finance sets all interest rates to zero and pauses borrowing and liquidations; publicly appeals to the attacker via social media for a white-hat agreement. No response confirmed.","source":"Bitcoin.com News","source_url":"https://news.bitcoin.com/hacker-steals-6-9-million-from-arbitrum-based-defi-protocol-lodestar-finance/"},{"date":"2022-12-10","event":"Plutus DAO publishes official statement confirming its platform was unaffected; designates surplus GLP in plvGLP vault for Lodestar depositor reimbursement.","source":"Plutus DAO Medium","source_url":"https://medium.com/@plutus.fi/official-statement-on-the-lodestar-finance-exploit-cf2b501647f5"},{"date":"2022-12-11","event":"CertiK and EigenPhi publish technical post-mortems confirming GLPOracle design flaw as sole root cause; attacker wallet identified as 0xc29d with proceeds bridged to Ethereum.","source":"CertiK Incident Analysis","source_url":"https://www.certik.com/resources/blog/TqTyq4vYHl8JzS7zyJye9-lodestar-finance-incident-analysis"},{"date":"2023-04-08","event":"Lodestar Finance relaunches on Arbitrum as V2; protocol attracts over $30 million in TVL and generates over $23,000 in protocol revenue in its initial period.","source":"Lodestar Finance / IQ.wiki","source_url":"https://iq.wiki/wiki/lodestar-finance"},{"date":"2023-05-01","event":"Lodestar Finance governance approves addition of ARB token support to lending markets.","source":"IQ.wiki — Lodestar Finance","source_url":"https://iq.wiki/wiki/lodestar-finance"},{"date":"2023-10-01","event":"Lodestar Finance distributes approximately $2.4 million in recovered GLP assets (roughly one-third of exploit losses) to affected depositors; 750,000 esLODE tokens allocated as supplemental victim compensation.","source":"IQ.wiki — Lodestar Finance","source_url":"https://iq.wiki/wiki/lodestar-finance"},{"date":"2023-11-01","event":"Lodestar Finance receives STIP Round 1 grant from Arbitrum DAO; over 750,000 ARB distributed to protocol users as liquidity incentives.","source":"Arbitrum Forum — STIP Round 1","source_url":"https://forum.arbitrum.foundation/t/lodestar-finance-final-stip-round-1/16981"}]},"v":1}