The Avalanche-based (AVAX) DeFi protocol, Platypus, has been exploited for around $8.5 million in a flash loan attack. The hack caused the Platypus USD (USP) stablecoin to de-peg, dropping from $1 to $0.47, a drop of around 52%.
Source: CoinGecko
Subsequently, the Avalanche-based (AVAX) protocol acknowledged the breach on Twitter, while a moderator of Platypus’ Telegram channel confirmed that the company has stopped trading. Moreover, the firm has confirmed the $8.5 million loss.
Platypus confirmed an $8.5 million loss from its primary pool. Moreover, the firm said that deposits are covered to an extent of 85%. However, other pools weren’t affected, the firm added. Tether Holdings has frozen the stolen USDT. Moreover, Platypus has asked Binance and Circle to freeze the other tokens that were stolen. The firm is in touch with the hacker to discuss a bounty for the money’s recovery.
How was the Avalanche-based Platypus protocol hacked?
According to PeckShield, the attack was possible due to a problematic implementation in the MasterPlatypusV4 contract. In particular, the emergencyWithdraw function improperly assesses the insolvency before the disposal of the collateral. This led to an insolvent debt position of $41.7M following the emergency withdrawal.
Flash loan assaults are a type of DeFi attack in which a cyber thief obtains a flash loan from a lending protocol (a type of uncollateralized lending) and utilizes it to manipulate the market in its favor. Avi Eisenberg reportedly employed a flash attack to influence the price of the MNGO currency from Mango Markets in October.
ZachXBT, an “On-chain sleuth,” claims that the Twitter account “retlqw,” is linked to the address identified by the Avalanche-based Platypus protocol. However, the Twitter account has since been deactivated. ZachXBT has asked the alleged perpetrator to enter a negotiation regarding returning the stolen funds. However, there has been no response as of yet.
At press time, Platypus USD (USP) was trading at $0.478292.