According to CertiK, the Avalanche-based stableswap platform had a vulnerability in the validation of the MasterPlatypusV4 contract by the emergencyWithdraw function, which fails only when the borrowed assets go beyond the borrowing limit.
When called, the function automatically transfers the user’s deposit assets without considering the worth of the assets borrowed by the user.
By depositing 44 million USDC into the Platypus USDC Asset (LP-USDC), the attacker obtained 44 million LP-USD tokens, which they subsequently deposited into MasterPlatypusV4.
The attacker then utilized the borrow() function in order to generate approximately 41.79 million USP – the maximum borrow limit set at 95% of the user’s collateral within the PlatypusTreasure contract.
“Because the attacker didn’t borrow over the 95% cap, the isSolvent value returned as “true” which enabled the attacker to call the EmergencyWithdraw function and the full amount of 44M LP-USDC,” wrote CertiK.
Subsequently, the attacker withdrew the 44 million USDC from the Platypus USDC Asset (LP-USDC) and began exchanging USP tokens for various assets using the Platypus Finance Pool. Once the flash loan was completely repaid, Platypus lost approx $8.5 million from the main pool.
“We are working on a full recovering plan right now and will keep the community update,” wrote Platypus Finance in a now deleted tweet.
USP stablecoin loses peg
As a result of the exploit, the protocol’s stablecoin Platypus USD (USP) lost its dollar peg and dropped around 51% to $0.47, at the time of writing, according to Coingecko data.
The firm has temporarily halted operations. “For now all operations are paused until we get more clarity,” a team member updated in the discord server.
Platypus also confirmed that the funds in other pools were unaffected, and the hacker has been contacted to negotiate a bounty. Tether has frozen the stolen USDT while the platform is working on freezing the USDC and BUSD assets.