Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million

Key Points:

  • Today, the Platypus Stablecoin Exchange Project was hacked with an estimated loss of $9 million.
  • The project was hacked through flash loans on AVAX.
  • The cause is believed to stem from a vulnerability in verifying the MasterPlatypusV4 contract using the EmergencyWithdraw function.
Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million
Security firm CertiK Alert announced on Twitter that the stablecoin trading project Platypus was hit by an AAVE flash loan attack, resulting in total asset losses of approximately $9 million.

Most of the stolen funds are still in the attacker’s contract address, with some being sent to the EOA and AAVE pools.

According to the CertiK analysis, the vulnerability appears to be in verifying the MasterPlatypusV4 contract using the EmergencyWithdraw function, which will only fail when the borrowed asset exceeds the borrowing limit.

This function then proceeds to transfer all of the user’s deposited assets regardless of the value of the user’s borrowed assets. The specific process is as follows:

  1. The attacker deposited 44 million USDC into Platypus’ USDC assets (LP-USDC) and obtained 44 million LP-USD. The attacker then deposits LP-USD into MasterPlatypusV4
  2. The attacker calls the loan() function to mint approximately 41.79 million USP in contract coffers. This is the maximum amount allowed under the loan limit, equal to 95% of the user’s collateral.
  3. Since the attacker does not borrow more than 95% of the upper limit, the value of isSolvent returns “true,” allowing the attacker to call the EmergencyWithdraw function and all 44 million LP-USDC.
  4. The attacker withdrew 44 million USDC from Platypus USDC assets (LP-USDC) and started exchanging USP for various assets through the Platypus Finance team.
Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million

After the flash loan repayment, the total loss of this platform was around $9 million.

“We are currently working to assess the situation and will be in touch promptly. For now, all action has been paused until the situation is over becomes clearer”.

Team announced in the official Telegram group:

According to the data, the Platypus USP project’s original stablecoin has de-anchored to $0.4785.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Website: coincu.com

Foxy

Coincu News

Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million

Key Points:

  • Today, the Platypus Stablecoin Exchange Project was hacked with an estimated loss of $9 million.
  • The project was hacked through flash loans on AVAX.
  • The cause is believed to stem from a vulnerability in verifying the MasterPlatypusV4 contract using the EmergencyWithdraw function.
Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million
Security firm CertiK Alert announced on Twitter that the stablecoin trading project Platypus was hit by an AAVE flash loan attack, resulting in total asset losses of approximately $9 million.

Most of the stolen funds are still in the attacker’s contract address, with some being sent to the EOA and AAVE pools.

According to the CertiK analysis, the vulnerability appears to be in verifying the MasterPlatypusV4 contract using the EmergencyWithdraw function, which will only fail when the borrowed asset exceeds the borrowing limit.

This function then proceeds to transfer all of the user’s deposited assets regardless of the value of the user’s borrowed assets. The specific process is as follows:

  1. The attacker deposited 44 million USDC into Platypus’ USDC assets (LP-USDC) and obtained 44 million LP-USD. The attacker then deposits LP-USD into MasterPlatypusV4
  2. The attacker calls the loan() function to mint approximately 41.79 million USP in contract coffers. This is the maximum amount allowed under the loan limit, equal to 95% of the user’s collateral.
  3. Since the attacker does not borrow more than 95% of the upper limit, the value of isSolvent returns “true,” allowing the attacker to call the EmergencyWithdraw function and all 44 million LP-USDC.
  4. The attacker withdrew 44 million USDC from Platypus USDC assets (LP-USDC) and started exchanging USP for various assets through the Platypus Finance team.
Stablecoin Trading Platypus Attacked Flash Loans Losing About $9 Million

After the flash loan repayment, the total loss of this platform was around $9 million.

“We are currently working to assess the situation and will be in touch promptly. For now, all action has been paused until the situation is over becomes clearer”.

Team announced in the official Telegram group:

According to the data, the Platypus USP project’s original stablecoin has de-anchored to $0.4785.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Website: coincu.com

Foxy

Coincu News