On Thursday, the Platypus USD (USP) stablecoin lost its dollar parity following an apparent exploit that allowed a wallet to siphon off around $8.5 million from the token’s liquidity pools. This attack occurred just weeks after Platypus DeFi issued the stablecoin.
The exploit is believed to have been carried out via a flash loan exploit. This type of attack involves an attacker taking out a large loan and settling it in the same block, sandwiching transactions that use the capital to exploit other protocols in between. Platypus swap function on the network has been disabled since the attack.
A pinned message in the official Platypus Telegram channel warned users of the attack: “There has been a flash-loan attack on USP. We are currently trying to assess the situation and will communicate promptly on it. For now all operations are paused until we get more clarity.”
The attacker appears to have taken out a $44 million flash loan from Aave V3, and in turn minted some 41 million US Platypus tokens. This was followed by the attacker cashing out some $8.5 million into other stablecoins, and paying back the flash loan. All of these actions took place in the same block of transactions, according to on-chain data.
Web3 security firm Certik identified the vulnerability behind the attack. It said: “The vulnerability lies in the solvency checking in the function emergencyWithdraw of the MasterPlatypusV4 contract. The solvency check doesn’t take into account the value of the user’s debt. It only checks whether the debt amount has reached the max limit. After the solvency check passes, the contract allows the user to withdraw all deposited assets.”
The attacker was able to drain the pool’s liquidity in the previous block, leaving the remaining 33 million tokens in the attacker’s wallet, unable to be traded. USP is now trading around $0.47 after dropping by just over 52%.
Flash loan exploits are becoming increasingly common in the decentralized finance (DeFi) space. These attacks are possible because of the high-speed trading that flash loans allow. By taking out a loan and settling it in the same block, the attacker is able to use the loaned capital to exploit other protocols.
In the case of Platypus, the vulnerability in the solvency checking of the emergencyWithdraw function allowed the attacker to withdraw all deposited assets. This type of exploit is particularly damaging as it can result in the loss of large sums of money in a short period of time.
The Platypus DeFi team has yet to comment on the attack, though they have disabled the swap function on the network. It is unclear at this time how the team plans to address the issue and restore USP’s dollar parity.
Flash loan exploits are a growing problem in the DeFi space, and it is important that protocols take measures to ensure that their systems are secure and that users’ funds are protected. While flash loan exploits can be difficult to prevent, protocols should take steps to ensure that their protocols are as secure as possible. This includes regularly auditing their contracts and making sure that any vulnerabilities are addressed promptly.
In the case of Platypus, the team will need to address the vulnerability in the emergencyWithdraw function in order to prevent similar exploits from occurring in the future. Until then, it is important that users remain vigilant and take steps to protect their funds from any potential attacks.
