Hackers copied Mango Markets attacker's methods to exploit Lodestar: CertiK

cointelegraph.com:

According to a post-mortem analysis provided by CertiK of the $5.8 million Lodestar Finance exploit that occurred on Dec. 10, 

5. The hacker burned a little over 3 million in GLP, their profit on this exploit was the stolen funds on Lodestar - minus the GLP they burned.6. 2.8 Million of the GLP is recoverable, which is worth about $2.4 million. We are going to reach out to the hacker and...

In a similar instance, CertiK said that Lodestar Finance hackers "artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt."

The attack occurred through a vulnerability in the PlutusDAO's plvGLP token on Lodestar. According to its documentation, Lodestar "uses verified, secure Chainlink price feeds for every asset it offers with the exception of plvGLP." Instead, the exchange rate of plvGLP to GLP relied on total assets divided by total supply on Lodestar.

As explained by CertiK, the exploiter first funded their wallet with 1,500 Ether (ETH) on Dec. 8, who then took out eight flashloans for a total of approximately $70 million worth of USD Coin (USDC), wrapped Ether (wETH), and DAI (DAI) two days later. This drove the exchange rate of plvGLP to GLP to 1.00:1.83, which meant that the exploiter was able to borrow even more assets from the protocol.

The borrowings quickly consumed all liquidity on the platform, leading the hacker transfer the funds out of Lodestar and leaving users with bad debt. It is estimated that the exploiter made a total of $6.9 million in profits through the attack vector.

CertiK warned that the attack "is the result of flaws in the protocol's design rather than a bug in its smart contract code." The blockchain security firm further