A Botched Heist: A Look At The Sloppy $8.5M Hack On Platypus Protocol
Avalanche-based Platypus Protocol, an AMM that was less than two weeks into launching it’s new stablecoin USP, suffered an $8.5M flash loan attack on Thursday. There’s plenty to talk about recently about stablecoins, but this story isn’t about regulation – but rather about community-issued enforcement and collaboration to rectify actions from the hack.
In less than 24 hours, community collaboration has allowed Platypus to recover almost a third of the funds – and the hacker has sleuths hot on his tail.
Moving At A Platypus’ Pace? Not So Fast
On the cusp of robust SEC and stablecoin discussion, including drama surrounding Paxos-issued BUSD and the SEC’s new suit against Do Kwon and Terraform Labs (creators of the Terra stablecoin UST), there’s more stablecoin madness this week that is unrelated to regulation.
Platypus Finance has operated in the Avalanche ecosystem for some time now as an established AMM operating a liquidity pool, and recently launched a stablecoin, USP, pegged to the US dollar.
On Thursday, a hacker who routinely identifies as ‘retlqw’ used a flash loan to take advantage of Platypus’ code. They sought to deploy a single contract to exploit Platypus, but the work has generally been seen as sloppy and a result of ‘poor coding’ rather than ‘good exploiting.’ The hacker took a flash loan from Aave for 44M USDC, deposited it to the Platypus pool for liquidity pool tokens. The exploiter deposited those liquidity pool tokens into a staking contract, allowing them to borrow a massive amount of USP tokens.
This is all standard procedure, up until now: the hacker than took advantage of a ’emergencyWithdraw’ function, which manipulated the code to allow the hacker to swap back the liquidity pool tokens, returning the flash loan from Aave, and still maintain the USP token. The hacker swapped USP tokens for as much as they could at that moment – roughly $8.5M worth of stablecoins.
Platypus Finance (PTP) native token has seen substantial volatility through up’s and down’s lately. | Source: PTP-USDT on TradingView.com
Hot Pursuit
The Platypus team consulted with Avalanche’s internal team at Ava Labs, as well as industry professionals like BlockSec. Within a few hours, four lines of corrected code had been implemented to rectify the issue. Within the same day, crypto’s signature sleuth ZachXBT issued a tweet identifying the hacker and expressing interest in negotiating a bounty before reporting them to law enforcement:
Hi @retlqw since you deactivated your account after I messaged you.
I’ve traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.
We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD
— ZachXBT (@zachxbt) February 17, 2023
In less than 48 hours, Platypus has already recovered 2.4M USDC and it appears that many of the other funds are frozen courtesy of coordinated work with Platypus’ team. This hack serves as another stark reminder that code is often far from perfect in early stages of development.
The stablecoin sagas continue.