Platypus Finance Hack — February 16, 2023
Overview
On February 16, 2023, at 07:16:54 PM UTC, Platypus Finance was attacked for approximately $8.5–$9.1 million. The DeFi protocol suffered a flash loan attack, pushing the Platypus USD (USP) stablecoin to break its peg with the U.S. dollar.
The Vulnerability
The attacker took advantage of a flaw in the USP solvency check mechanism, using a flash loan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral. The Platypus MasterPlatypusV4 contract contained a fatal misconception in its emergencyWithdraw mechanism, performing its solvency check before updating the LP tokens associated with the stake position.
Attack Details
The attack was executed in a single transaction where the attacker:
1. Acquired a 44,000,000 USDC loan from the Aave V3 protocol
2. Deposited the same amount in the Platypus Finance Pool to acquire LP-USDC tokens
3. Deposited the LP-USDC tokens to the MasterPlatypusV4 implementation
4. Performed a borrow operation of roughly ~41,794,533 units of USP
5. Withdrew the 44 million USDC and swapped the USP for multiple assets
6. Repaid the flash loan and stole approximately $8.5 million in user funds
Impact and Recovery
The attack caused a large decline in the price of USP — down more than 66% compared to its intended $1 peg. The team was able to recover approximately $2.4 million USDC from the attack contract, with the remainder of funds remaining in the attacker's contract.
Sources