Two Avalanche (AVAX) DeFis Hacked in One Day

Today, Feb. 17, 2023, two decentralized finance (DeFi) protocols on Avalanche (AVAX) blockchain were attacked by malefactors. It looks like on-chain researchers managed to find at least one hacker.

One day, two attacks

At around 11:05 a.m. UTC, cryptocurrency security firm PeckShield posted an alert about a possible DeFi hack. Dexible, a multi-blockchain algorithmic trading DeFi protocol that has versions on Ethereum (ETH), Avalanche (AVAX), Poly Network (POLY), BNB Chain (BSC) and so on, lost over $1.5 million due to vulnerability in its codebase.

Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack tx: https://t.co/A076AeXsPz pic.twitter.com/HRQ8MBTSGm

— PeckShield Inc. (@peckshield) February 17, 2023

The vulnerability was found in a swap router contract. The attacker immediately started laundering funds through Tornado Cash (TORN) mixer. Per the first post-mortem released a few minutes ago, the actual size of losses is yet to be calculated:

This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.

Right now, the team is working on a recovery plan. All contracts are paused. Yesterday, the team invited all users to migrate to a new version of smart contract.

Also, Platypus, an Avalanche-based decentralized stablecoin protocol, suffered from an $8.5 million attack. Malefactors managed to organize a flash loan attack; the USP stablecoin of the project dropped below $0.5. In a collaboration with Tether Limited, the team managed to freeze the funds on the attacker’s USDT account.

ZachXBT comes to the rescue: Platypus attacker might be found

Right now, the team is in talks with Binance and Circle to lock the rest of the attackers’ loot.

Seasoned cryptocurrency researcher ZachXBT assists the team of DeFi in recovering the funds. He claimed that he discovered the Twitter account of the attacker. The attacker might be using domain retlqw.eth ENS.

Hi @retlqw since you deactivated your account after I messaged you.

I’ve traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.

We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD

— ZachXBT (@zachxbt) February 17, 2023

Following this statement, retlqw.eth deactivated both its Twitter and Instagram accounts. However, ZachXBT managed to offer him a bug bounty on behalf of the Platypus team.

Source