SNEAK PEEK:
- PlatypusDefi recently encountered exploitation via flash loans on the Avalanche network.
- The hacker deposited 44M USDC to Platypus USDC Asset and earned 44M LP -USD
- PlatypusDefi teams up with the authorities to apprehend the culprit.
On February 17, PeckShield, a blockchain security and data analytics company, purported in a tweet that PlatypusDefi, a decentralized finance platform, was hit with a devastating attack via flash loans on the Avalanche (AVAX) network. As a result, the project suffered losses of approximately $8.75 million in assets.
1/ @platypusdefi was exploited by a flash loan attack on Avalanche (tx: https://t.co/QUfTQvLsyQ), leading to the gain of ~$8.75m for the exploiter. pic.twitter.com/eFPhbdGF6f
— PeckShield Inc. (@peckshield) February 16, 2023
Further investigation into the attack on the Platypus project has revealed that the vulnerability lies in the emergencyWithdraw function’s validation of the MasterPlatypusV4 contract. Specifically, the function only fails if the borrowed assets exceed the borrowing limit, which allows the attacker to bypass the contract’s security measures.
According to reports, the hacker deposited 44 million USDC into the Platypus USDC Asset (LP-USDC) and earned 44 million LP-USD in return. The attacker then transferred the LP-USD to the MasterPlatypusV4 contract and used the borrow() method to generate 41.79 million USP in the PlatypusTreasure contract. This is the maximum amount allowed by the borrowing limit, which is set at 95% of the user’s collateral.
The attacker then manipulated the liquidity pools and extracted a considerable amount of cash from the project using the freshly issued USP. Although the vast bulk of the stolen assets is still in the attacker’s contract address, some have been transferred to an externally owned account (EOA) and an AAVE pool.
As a consequence of the attack, the Platypus USD stablecoin was de-pegged from the U.S. dollar, plummeting 52.2% to $0.478 at the time of publication.
In summary, the PlatypusDefi team was swift to react to the assault, trying to pinpoint the vulnerability’s primary source and put in place safeguards to avoid such occurrences in the future. Furthermore, to retrieve the money taken and apprehend the perpetrator, they have also informed the appropriate authorities and are closely collaborating with them.