Introduction

On 16 February, 2023, at 07:16:54 PM UTC, Platypus Finance, the project behind the USP stablecoin, was attacked for approximately $8.5 million. The attack caused a large decline in the price of $USP of $0.33, (or down more than 66% compared to its intended $1 peg. The project’s native PTP token also lost a quarter of its value in a day. The attacker minted 40 million USP tokens from the MasterPlatypusV4 contract using 44 million Platypus LP-USDC tokens as collateral. So far, the team has been able to recover approximately $2.4 million USDC from the attack contract.

Summary

Platypus Finance was attacked on 16 February via a flash loan attack resulting in a total loss of approximately $8.5 million worth of assets. Platypus launched $USP in December 2022, describing the token as a USD-pegged stablecoin launched on Avalanche. According to DeFi Llama, Platypus is the seventh-largest protocol on the Avalanche network with a total value locked (TVL) of $41 million, despite the 25% drop from the day of the attack. As a result, USP de-pegged from the US dollar and, at the time of writing, all operations on the platform have been paused.

The day of the attack, the team posted on their Twitter account, ”Dear Community, We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism. They used a flash loan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral.” Platypus updated its pool contract to try and recuperate $2.4 million in USDC from the hacker.

The Platypus team released a post-mortem on 17 February, 2023, explaining that the Platypus MasterPlatypusV4 contract, “contained a fatal misconception in its emergencyWithdraw mechanism,” which made it perform, “its solvency check before updating the LP tokens associated with the stake position.” The vulnerability was in the emergencyWithdraw function's validation of the MasterPlatypusV4 contract, which solely verifies if the borrowed assets of the user exceed the borrowing limit and proceeds to transfer all of the user's deposit assets, without accounting for the number of assets borrowed by the user. Consequently, the attacker could borrow an amount equal to or less than the borrowing limit, and then use emergencyWithdraw to withdraw all the deposited assets. Additionally, on 17 February, 2023, Platypus Defi announced on their Twitter that they were able to successfully recover 2.4 million USDC from the attack contract and into the Platypus USP asset contract. However, $6.08 million still remains in the attack contract.

Platypus announced on the day of the attack that impacted users were covered for up to 35% of their investment and that they had reached out to the hacker to negotiate a bounty. Additionally, the team said all the stolen USDT were frozen and that they were actively working with Binance, Tether, and Circle, to freeze the other stolen funds. Crypto sleuth ZachXBT announced that a Twitter account going by @retlqw was responsible for the hack. The account has since been deleted.

Vulnerability

The vulnerability lay in the solvency check in the emergencyWithdraw() function of the MasterPlatypusV4 contract. The solvency check disregarded the attacker’s debt amount and only checked whether the debt amount reached the max limit. After the solvency check passed, the contract then allowed the attacker to withdraw all the deposited assets.

The function platypusTreasure.isSolvent() returns two values. The first boolean value Solvent shows if the user’s debt amount is below its borrow limit. *Image: isSolvent function. Source: CertiK. *

The second value debtAmount shows the amount of debt the attacker owes. Image: Amount owed by attacker. Source: CertiK.

If the user’s debt amount does not exceed the borrowing limit the value of Solvent will be true.

However, in function emergencyWithdraw of contract MasterPlatypusV4, the solvency check only validates the boolean value Solvent and ignores the debt amount. This means that if the attacker’s debt does not exceed the borrow limit, the attacker can call the function emergencyWithdraw to withdraw all the collateral and walk away with the stolen USP tokens.

Attack Flow

1. The attacker deposited 44 millionUSDC to the Platypus USDC Asset (LP-USDC) and gained 44 million LP-USD which was deposited to MasterPlatypusV4.

2. The attacker called borrow() to mint around 41.79 million USP in the contract PlatypusTreasure.

• The borrow limit was set as 95%, meaning that with 44 million LP USDC one could borrow 41794533641783253909672000 USP. Image: The borrow() function used to mint 41.79 million USP: Source: Etherscan.

• If the borrowed USP amount is no more than the 95% cap, the isSolvent value will always return true. *Image: Code depicting debt amount Source: CertiK. *

3. Due to the isSolvent variable being true, the attacker was able to call the EmergencyWithdraw() function to withdraw 44 million LP-USDC. Image: isSolvent variable returning true Source: CertiK.

4. The attacker then withdrew the 44 million USDC from the Platypus USDC Asset (LP-USDC) and started swapping the USP for multiple assets via the Platypus Finance: Pool for the following:

• USDC 2425762.268061
• USDC.e 1946900.836223
• USDT 1552550.943906
• USDT.e 1217581.624092
• BUSD 687369.440244482886082500
• DAI.e 691984.961226933170047020

5. Finally, the attacker repaid the flash loan and stole approximately $8.5 million in user funds.

Funds Recovery

On 17 February, 2023, at 4:50 PM +UTC, Platypus Defi announced on their Twitter that they were able to successfully recover 2.4 million USDC and transfer the stolen funds to the recovery contract. At the time of writing, $6.08 million USD still remains in the attackers contract. Image: 17 February funds recovery update from the Platypus team. Source: Twitter

Following this announcement, on 18 Feb, 2023, the team posted further guidance on their Twitter stating they paused liquidations and ensured users that they were working multiple different avenues to recover the remaining funds, which includes law enforcement action.

On 21 February, 2023, the Platypus team posted an Aave governance forum link to their Twitter page in an effort to gather feedback from the community and discuss the technical implementation of recovery actions. Image: Status update from Platypus team regarding stuck funds. Source: Twitter.

The team plans to work on a recovery contract to call the rescueTokens() function of the pool contract and then transfer the funds stuck in the attack contract to Platypus team’s multi-sig wallet. These actions would be subject to governance voting, which will then grant the recovery contract the Pool_Admin role access if the vote passes.

The protocol also launched a page that lets viewers see how much compensation they can get from the platform. The page allows users to understand how much they are owed after the exploit.

Conclusion

At the time of writing, $6.08 million USD still remains in the attackers contract. However, French officials have arrested two individuals likely responsible for the attack. Over the past year, other DeFi platforms have been targets of flash loan attacks, including Deus DAO, Nirvana Finance, New Free DAO or Mango Markets. In 2022, CertiK recorded 101 flash loan attacks, which totaled in $356,012,121 loss. The Platypus flash loan attack was first reported by CertiK, who tweeted the attacker’s contract address.

Smart contract auditing can recognize and neutralize incidents before malicious actors can exploit and steal funds. Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, and visiting CertiK.com as part of your due diligence.