An attacker executed a flash loan attack on an Avalanche stableswap platform, stealing several million dollars-worth of crypto.

A Feb. 16 alert from blockchain security firm Certik disclosed that Platypus DeFi, a stablecoin swapping platform built on the Avalanche blockchain, lost $8.5 million in an exploit.

Platypus DeFi acknowledged the exploit on Twitter, saying that the hacker took advantage of its stablecoin’s solvency check mechanism. The protocol’s U.S.-dollar pegged stablecoin Platypus USD (USP) lost more than 50% of its value after the exploit. USP was trading at around $0.47 at the time of writing. 

The Platypus DeFi team also appears to have attempted to communicate with the hacker, according to a message encoded in a transaction on the Avalanche blockchain.

“We can give you a very generous bounty (% of stolen funds) for your efforts in finding this issue. If you are acting as white hat, please get in contact with us,” read the message, viewable on Avalanche blockchain explorer Snowtrace.

Users have also reported that deposits and withdrawals on the main pool on the stableswap platform have been temporarily suspended.

On-chain sleuth ZachXBT noted that the hacker’s wallet address has already been blacklisted by Tether.

An independent analysis of the attack from on-chain analyst Daniel Von Fange found that the attacker used an “emergency withdraw” function on the smart contract to carry out the exploit.

“This is a bad look for USP auditors, who should have caught this relatively trivial bug,” tweeted web3 investor “@demirelo” on Twitter.

While the hacker made multiple contracts to execute the exploit, the bulk of stolen funds was executed through this first attack contract, which does not appear to have a mechanism to withdraw them from this location.

“seems there is a pretty good chance the attacker’s funds are trapped forever without a means for him to withdraw successfully from his attack contract,” tweeted Twitter user “@spreekaway.”