Platypus, a stablecoin exchange platform built on the Avalanche chain, has suffered a significant loss of approximately $8.5 million after a cyberattack, according to a report by blockchain security firm SlowMist.
The attacker borrowed 44 million USDC from AAVE through a flash loan and deposited it into the pool on Platypus to obtain deposit receipts (LP-USDC). The attacker then deposited all of the LP-USDC into the MasterChef contract.
The attacker called the “borrow” function of the PlatypusTreasure contract to borrow all available USP in the market and updated their position and debt information. Then, the attacker called the “emergencyWithdraw” function of the MasterChef contract to make an emergency withdrawal.
The “isSolvent” function of the platypusTreasure contract was called first to check the health status of the user’s collateral. Since the attacker’s debt was less than their maximum borrowing amount at that time, the check passed.
All deposit receipts (LP-USDC) recorded in the contract as belonging to the attacker were directly transferred back to the user without deducting the attacker’s debt.
The attacker then called the withdrawal function of the Platypus pool to burn the deposit receipts (LP-USDC), withdraw the USDC obtained, and exchange the USP borrowed in the second step for other stablecoins. Finally, they repaid the flash loan and earned a profit.
The root cause of the attack was that the “emergencyWithdraw” function in the MasterChef contract only checked the user’s debt health status without deducting the user’s debt. This allowed the attacker to withdraw funds from the deposit while having an outstanding debt.
It is noteworthy that the attacker did not implement the withdrawal function in the contract, so the profit from the attack could not be extracted and was locked in the attack contract.