An attacker executed a flash loan attack on an Avalanche stableswap platform, stealing several million dollars-worth of crypto.
A Feb. 16 alert from blockchain security firm Certik disclosed that Platypus DeFi, a stablecoin swapping platform built on the Avalanche blockchain, lost $8.5 million in an exploit.
Tx AVAX: 0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
Stay Frosty! pic.twitter.com/AM2HOM5M2r
— CertiK Alert (@CertiKAlert) February 16, 2023
Platypus DeFi acknowledged the exploit on Twitter, saying that the hacker took advantage of its stablecoin’s solvency check mechanism. The protocol’s U.S.-dollar pegged stablecoin Platypus USD (USP) lost more than 50% of its value after the exploit. USP was trading at around $0.47 at the time of writing.
The Platypus DeFi team also appears to have attempted to communicate with the hacker, according to a message encoded in a transaction on the Avalanche blockchain.
“We can give you a very generous bounty (% of stolen funds) for your efforts in finding this issue. If you are acting as white hat, please get in contact with us,” read the message, viewable on Avalanche blockchain explorer Snowtrace.
Users have also reported that deposits and withdrawals on the main pool on the stableswap platform have been temporarily suspended.
On-chain sleuth ZachXBT noted that the hacker’s wallet address has already been blacklisted by Tether.
An independent analysis of the attack from on-chain analyst Daniel Von Fange found that the attacker used an “emergency withdraw” function on the smart contract to carry out the exploit.
In the two hour old Platypus hack, it looks the attacker deposited 44 million, borrowed 42 million, and then used the emergencyWithdraw(), which happily gave the attacker the full original deposited funds back – no deductions for the borrow. pic.twitter.com/QncRrRYg8j
— Daniel Von Fange (@danielvf) February 16, 2023
“This is a bad look for USP auditors, who should have caught this relatively trivial bug,” tweeted web3 investor “@demirelo” on Twitter.
While the hacker made multiple contracts to execute the exploit, the bulk of stolen funds was executed through this first attack contract, which does not appear to have a mechanism to withdraw them from this location.
“seems there is a pretty good chance the attacker’s funds are trapped forever without a means for him to withdraw successfully from his attack contract,” tweeted Twitter user “@spreekaway.”