A Botched Heist: A Look At The Sloppy $8.5M Hack On Platypus Protocol

2023-2-18 02:18

Avalanche-based Platypus Protocol, an AMM that was less than two weeks into launching it’s new stablecoin USP, suffered an $8.5M flash loan attack on Thursday. There’s plenty to talk about recently about stablecoins, but this story isn’t about regulation – but rather about community-issued enforcement and collaboration to rectify actions from the hack.

In less than 24 hours, community collaboration has allowed Platypus to recover almost a third of the funds – and the hacker has sleuths hot on his tail.

Moving At A Platypus’ Pace? Not So Fast

On the cusp of robust SEC and stablecoin discussion, including drama surrounding Paxos-issued BUSD and the SEC’s new suit against Do Kwon and Terraform Labs (creators of the Terra stablecoin UST), there’s more stablecoin madness this week that is unrelated to regulation.

Platypus Finance has operated in the Avalanche ecosystem for some time now as an established AMM operating a liquidity pool, and recently launched a stablecoin, USP, pegged to the US dollar.

On Thursday, a hacker who routinely identifies as ‘retlqw’ used a flash loan to take advantage of Platypus’ code. They sought to deploy a single contract to exploit Platypus, but the work has generally been seen as sloppy and a result of ‘poor coding’ rather than ‘good exploiting.’ The hacker took a flash loan from Aave for 44M USDC, deposited it to the Platypus pool for liquidity pool tokens. The exploiter deposited those liquidity pool tokens into a staking contract, allowing them to borrow a massive amount of USP tokens.

This is all standard procedure, up until now: the hacker than took advantage of a ’emergencyWithdraw’ function, which manipulated the code to allow the hacker to swap back the liquidity pool tokens, returning the flash loan from Aave, and still maintain the USP token. The hacker swapped USP tokens for as much as they could at that moment – roughly $8.5M worth of stablecoins.

Hot Pursuit

The Platypus team consulted with Avalanche’s internal team at Ava Labs, as well as industry professionals like BlockSec. Within a few hours, four lines of corrected code had been implemented to rectify the issue. Within the same day, crypto’s signature sleuth ZachXBT issued a tweet identifying the hacker and expressing interest in negotiating a bounty before reporting them to law enforcement:

Hi @retlqw since you deactivated your account after I messaged you.

I've traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.

We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD

— ZachXBT (@zachxbt) February 17, 2023

In less than 48 hours, Platypus has already recovered 2.4M USDC and it appears that many of the other funds are frozen courtesy of coordinated work with Platypus’ team. This hack serves as another stark reminder that code is often far from perfect in early stages of development.

The stablecoin sagas continue.

Similar to Notcoin - Blum - Airdrops In 2024

origin »

BlockMason Credit Protocol (BCPT) на Currencies.ru

$ 0 (+0.00%)
Объем 24H $0
Изменеия 24h: 0.00 %, 7d: 0.04 %
Cегодня L: $0 - H: $0
Капитализация $0 Rank 99999
Цена в час новости $ 0.0195725 (-100%)

protocol platypus hack stablecoins story talk plenty

protocol platypus → Результатов: 5


У DeFi-протокола Platypus на Avalanche украли $8,5 млн

Стейблкоин DeFi-проекта Platypus Finance (USP) утратил привязку к доллару после атаки, в результате которой неизвестный вывел из протокола на базе Avalanche активы на $8,5 млн. Dear Community,We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism. They used a flashloan […]

2023-2-17 13:41