On February 17, 2023, the PlatypusDefi project suffered a devastating attack via flash loans on the Avalanche (AVAX) blockchain network. The attack resulted in losses of approximately $9 million worth of assets.
Flash loans are a decentralized finance (DeFi) transaction that allows a user to borrow a large number of funds without any collateral as long as the funds are returned within a single transaction block.
The inside scoop on the Platypus project vulnerabilities
Further investigation into the attack on the Platypus project has revealed that the vulnerability lies in the emergencyWithdraw function’s authentication of the MasterPlatypusV4 deal. In particular, the function only malfunctions if the loaned funds exceed the lending cap, which allows the attacker to bypass the contract’s security measures.
According to reports, the intruder deposited 44 million USDC into the Platypus platform (LP-USDC) and earned 44 million LP-USD in return. The hacker then transferred the earned assets to the MasterPlatypusV4 agreement and used the borrow() method to generate 41.79 million USP in the PlatypusTreasure contract. This is the maximum amount allowed by the borrowing limit, which is set at 95% of the user’s collateral.
The attacker then manipulated the liquidity pools and extracted a considerable amount of cash from the project using the freshly issued USP. Although the vast bulk of the stolen assets is still in the attacker’s contract address, some have been transferred to an externally owned account (EOA) and an AAVE pool.
As a consequence of the attack, the Platypus USD stablecoin was de-pegged from the U.S. dollar, plummeting 52.2% to $0.478 at the time of publication.
Twitter detective, ZachXBT, uncovers clues to identify the crypto hacker
ZachXBT, an on-chain sleuth, recently asserted in a tweet that he has traced the addresses back to the account of a user named @retlqw. Despite deactivating his account after being messaged, @retlqw’s transaction history across multiple chains has been reviewed, leading to his ENS address retlqw.eth.
Further investigation into @retlqw’s social media activity has revealed that their OpenSea account links directly to their Twitter account. In addition, @retlqw liked a tweet about the Platypus exploit, which raises suspicions about their involvement in the attack.
Given the evidence against @retlqw, ZachXBT has contacted the PlatypusDefi team and exchanges to negotiate the return of the funds before engaging with law enforcement. It remains to be seen whether @retlqw will respond to the victim’s request or legal action will be taken against him.
In summary, the PlatypusDefi team was also swift to react to the assault, trying to pinpoint the vulnerability’s primary source and put safeguards in place to avoid such occurrences. Furthermore, to retrieve the money taken and apprehend the perpetrator, they have also informed the appropriate authorities and are closely collaborating with them.
Tokenhell produces content exposure for over 5,000 crypto companies and you can be one of them too! Contact at info@tokenhell.com if you have any questions. Cryptocurrencies are highly volatile, conduct your own research before making any investment decisions. Some of the posts on this website are guest posts or paid posts that are not written by Tokenhell authors (namely Crypto Cable , Sponsored Articles and Press Release content) and the views expressed in these types of posts do not reflect the views of this website. Tokenhell is not responsible for the content, accuracy, quality, advertising, products or any other content or banners (ad space) posted on the site. Read full terms and conditions / disclaimer.
