TL;DR#
On February 16, 2023, Platypus was exploited via a flash loan attack, resulting in the total loss of approximately $9 million.
Introduction to Platypus#
Platypus Finance is a single-sided Automatic Market Maker for stablecoins built on the Avalanche network designed to optimize capital efficiency.
Vulnerability Assessment#
The vulnerability occurred due to a logic error in the USP solvency check mechanism of their contract holding the collateral.
Steps#
Step 1:
We attempted to analyze one of the attack transactions executed by the exploiter.
Step 2:
The flaw existed in the implementation of MasterPlatypusV4 contract, in which the emergencyWithdraw function incorrectly evaluated the insolvency before the removal of the collateral.
Step 3:
The exploiter initially took a flash loan of 44 million $USDC from AAVE, and deposited them to Platypus Finance Pool there by minting ~ 44 million LP-USDC.
Step 4:
The attacker then deposited 44 million LP-USDC to MasterPlatypusV4 as collateral in order to borrow 41.7 million USP from PlatypusTreasury.
Step 5:
This led to an insolvent debt position causing an emergency withdraw of 44 million LP-USDC from MasterPlatypusV4 contract.
Step 6:
They then withdrew earlier deposited 44 million $USDC from Platypus Finance Pool, and swapped 8.75 million USP, which is the Platypus’s stablecoin, to multiple assets consisting of $USDC, $USDC.e, $USDT, $USDT.e, $BUSD, and $DAI.
Step 7:
The swapped assets were kept for profits, while the borrowed flash loan was repaid back to AAVE.
Funds Flow of Platypus’s Attack Transaction. Courtesy of BlockSec
Step 8:
At the time of this writing, the contract deployed by the attacker holds all the stolen assets, which are worth approximately $8.5 million.
Step 9:
The profits from the second attack transaction were $172,064, while yet another attack transaction netted them approximately $380,000.
Aftermath#
The team announced the occurrence of the incident and its root cause on Twitter. They stated that the hacked funds originated from the main pool, while funds in the other pools remained unaffected.
According to the team, they are collaborating with third parties, including Binance, Tether, and Circle. The stolen USDT funds have been frozen, and Tether has blacklisted the attacker’s address.
They further mentioned that they are exploring options for compensation and reimbursement for affected investors.
The team later reported that they were able to recover approximately 2.4 million USDC from the attacker's contract, with the assistance of the BlockSec team.
Solution#
One of the most effective ways to mitigate the possible exploit arising from logic-based errors is to thoroughly test the smart contract using every aspect of testing, such as unit testing, integration testing, functional testing, etc. This helps identify any potential issues before the contract is deployed.
Additionally, many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to.
A team should also perform multiple security audits on their protocol to ensure that all potential vulnerabilities are identified and addressed in order to further secure the protocol.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Platypus Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources Platypus, Beosin
