On the 17th of February, an exploit was reportedly witnessed on the Avalanche-based stablecoin exchange named Platypus. The exploiter reportedly took away a profit of nearly $8.5M. The blockchain security platform SlowMist reported the incident on its official Twitter channel. The company additionally shared a report on the respective exploit in brief to caution the community.
Platypus Suffers a Loss of $8.5M via an Exploit, Says SlowMist
The blockchain security forum wrote a thread of tweets to highlight what took place in the exploit. It stated that the attacker initially borrowed nearly 44M USDC tokens from the AAVE platform by using the flash loan method. In the next step, the malicious actor deposited the borrowed funds into a Platypus-based pool to acquire deposit receipts in the form of LP-USDC. SlowMist mentioned that all of the respective deposit receipts were then deposited by the exploiter into the contract called MasterChef.
After doing that, the exploiter utilized the “borrow” operation for borrowing the entirety of the USP tokens existing in the market. In addition to this, the exploiter updated the position as well as the debt information thereof. Next to that, the attacker used the MasterChef contract’s “emergencyWithdraw” operation to extract the funds at once. Nonetheless, during this function, the “isSolvent” operation was activated for the “platypusTreasur contract” to confirm the consumer collateral’s health.
Exploiter Calls Diverse Functions to Exploit the Exchange
Since the debt of the attacker was lower than the peak borrowing amount, approval was provided. Without the deduction of the exploiter’s debt, the entirety of the receipts present in the respective contract was straightly transacted to the user.
In the end, the exploiter used the Platypus pool’s withdrawal function for burning the deposit receipts as well as extracting the USDC tokens. In addition to this, the exploiter utilized the borrowed USP tokens to swap for the rest of the stablecoins. Following that, the flash loan was repaid as well as profit was earned by the attacker.