An attacker exploited a weakness in the Platypusdefi smart contract and moved $8.5 million he generated as profit from the exploit.
The blockchain security firm, SlowMist announced on Friday that Platypusdefi, a stablecoin exchange platform based on the Avalanche blockchain, was hacked. The announcement was made by the firm on Twitter on February 17, stating that the attacker made away with roughly $8.5 million.
On February 17, @Platypusdefi, a stablecoin exchange platform on the Avalanche chain was attacked, and the attacker made a profit of approximately $8.5 million.— SlowMist (@SlowMist_Team) February 17, 2023
Here is a brief report👇
How it happened
The report said that the hacker initially borrowed 44 million USDC via the flashloan feature of AAVE before depositing the borrowed USDC in a Platypus pull giving the hacker deposit receipts (LP-USDC). It further stated that the next move of the hacker was depositing all the LP-USDC into the MasterChef contract.
The statement said that the attacker later called the “borrow” function of a contract on the target network, the PlatypusTreasure enabling it to borrow all the USP available in the market at that point. At this point, they updated their debt status and position.
The report continued,
“Then, the attacker called the “emergencyWithdraw” function of the MasterChef contract to make an emergency withdrawal. However, in this function, the “isSolvent” function of the platypusTreasure contract was called first to check the health status of the user’s collateral.”
SlowMist said that the check passed because the hacker’s debt was smaller than his maximum borrowing. It stated that all the deposit receipts (LP-USDC) that were registered on the contract to the hacker were moved back to the user.
A weak point that caused the exploit
It was at this point that the withdrawal function of the Platypusdefi pool was called by the attacker. This burned the deposit receipts (LP-USDC) and withdrew the USDC obtained. It went further by exchanging the borrowed USP with other stablecoins. The attacker then repaid the flashloan and moved on with the profit made.
SlowMist said that the main cause of the attack was the “emergencyWithdraw” function available in the Masterchef contract. The error comes from the fact that it overlook other factors while emphasizing on the debt health status of the user. This enabled the attacker to pull out funds from the deposit despite having a pending debt.
Funds still locked up in attacked contract
The report said,
“The root cause of the attack was that the “emergencyWithdraw” function in the MasterChef contract only checked the user’s debt health status without deducting the user’s debt, which allowed the attacker to withdraw funds from the deposit while having outstanding debt.”
It further said that after decompiling the attack, the researchers found that the product of the attack was still locked up in the attack contract because the attacker didn’t implement the withdrawal function in the contract. This means that the funds are still locked up in the attack contract.