Flash Loan Attack on Platypus Finance Results in an $8.5 Million Loss

Summary

On February 16, 2023, Platypus Finance, the project behind the USP stablecoin, fell victim to a flash loan attack. This resulted in an estimated loss of $8.5 million. The exploit led to a significant drop in the price of the $USP stablecoin, devaluing it by more than 66% from its intended $1 peg. The attack was carried out by minting an excessive number of USP tokens from the MasterPlatypusV4 contract and using an inflated amount of Platypus LP-USDC tokens as collateral.

Attackers

The identity of the attackers is currently unknown, but it is believed to be linked to a now-deleted Twitter account, @retlqw.

Attacker Addresses:

Malicious Contracts:

Losses

  • ~$8.5 million

Timeline

  • February 16, 2023, 07:16:54 PM +UTC: Attackers executed a flash loan attack.
  • February 17, 2023: The Platypus team announced the hack.
  • February 17, 2023, 04:21:19 PM +UTC: The Platypus team reported that they returned 2.4 million
  • February 25, 2023: French police arrested two people in connection with the Platypus attack

Security Failure Causes

Several reasons, according to the post-mortem report:

  • Flawed Solvency Check in the emergencyWithdraw() Function: The emergencyWithdraw() function was implemented as a safety measure in the MasterPlatypusV4 contract. The solvency check within this function was supposed to ensure that a user couldn’t withdraw more funds than they had deposited, thereby maintaining the contract’s solvency. However, this check was improperly implemented. It failed to consider the user’s debt amount and only checked whether the debt had reached the max limit, leaving the function vulnerable to exploitation.