On 12 October 2023, DeFi project Platypus Finance was exploited across three flash loan transactions, by two externally owned addresses (EOAs), for approximately $2.23 million. The exploit was due to price manipulation of the Platypus WAVAX and sAVAX pools. Platypus were able to recover $575k after a mistake by an exploiter.
This is the third incident involving Platypus DeFi in 2023. On 16 Feb 2023, the project was exploited for approximately $8.5 million but was able to recover ~$2.4 million. Additionally, on 11 July 2023 Platypus lost around $157,000 due to a price imbalance between USDC and USDC.e which led to an arbitrage opportunity that was taken advantage of by multiple users.
At 03:29 AM UTC on 12 October 2023, Platypus DeFi were exploited by EOA 0x0cd4 for approximately $1.2 million via a flash loan.
At 06:16 AM a second attack, by EOA 0x4640, took around $575k which was followed by a third attack one minute later, from the initial exploiter 0x0cd4, with around $450k taken. A total of $2.23 million was taken across the three malicious transactions.
Contract: 0x4cfb527f51b391ecb1a5197edc7a38160c261b6f created by 0x0cd4 showed a balance of $1,649,680 following the incident after two exploit transactions.
Contract: 0xF2c444572A402ec83B7Cb64E4A9Fc2188F0628F2 created by 0x4640 showed a balance of $574,261 following the incident.
The sAVAX and AVAX from contract 0xF2c4 has since been moved to GnosisSafeProxy 0x068e after a successful rescue attempt (screenshot below). At the time of writing, 0x4cfb still holds the exploited funds.
Attacker EOA 1: 0x0cd4
Attacker EOA 2: 0x4640
The following analysis is based on the first exploit transaction
The attacker flash loaned 1.1m Wrapped AVAX (WAVAX) and 991k Staked AVAX (sAVAX). Just over $10m of each token.
The attacker then deposited 1.1m WAVAX into 0xc73e and received 1.1m Platypus AVAX. They also deposited 330k sAVAX into 0xa2a7 and received 330k Platypus sAVAX.
The remaining 600k sAVAX was swapped for 661k WAVAX.
801,521 WAVAX was then withdrawn in return for 1.02m Platypus AVAX from step 2.
1.4m WAVAX (661k from step 3 + 801k from step 4) was swapped for for 1.39m sAVAX.
Withdraw the remaining 80k WAVAX (with the remaining Platypus AVAX)
Swap 700k sAVAX for 991,999 WAVAX
Withdraw the 330k sAVAX with Platypus sAVAX (step 2)
Swap 70k sAVAX for 76k WAVAX
Repay 1.1m WAVAX and 992k sAVAX flash loan
After repaying the flash loan the attacker was left with 111k WAVAX (
$1m) and 20k ($200k) sAVAX due to the differences in swaps caused by depositing and withdrawing from the Platypus pools.
We recorded 40 price manipulation attacks in 2022 with combined losses reaching over $269 million. In comparison, the incident involving Platypus DeFi is the 46th incident recorded in 2023 with total combined losses coming in at less than 10% of 2022 at $20.4 million lost in 2023.
Looking at flash loan exploits as a whole, we have recorded four incidents in October, which continues a downward trend from a July peak of 23 incidents. Comparatively, there were 15 flash loan incidents recorded in October 2022.
At the time of writing CertiK has recorded four flash loan incidents in October. August and September saw 8 and 7 respectively, which is a reduction over the average of 18 incidents per month seen from January to July. Though the reduction in incidents is welcome news, a singular incident can still reach millions of dollars in losses. This incident represents the 10th largest flash loan incident that CertiK detected so far in 2023. Playtypus DeFi’s incident in February is the 3rd largest of the year. Despite the low number of flash loans detected since the start of August, CertiK has already detected more flash loans this year compared to 2022. The volume of flash loan attacks in 2023 demonstrates the need for robust security measures and third party audits. Check https://skynet.certik.com/ to help you understand the security risks behind projects you wish to engage with.