Platypusdefi new stablecoin has been hacked for approximately $8.5 million dollars plus another $33 million $USP today. In the two hour old Platypus hack, the attacker deposited 44 million, borrowed 42 million, and then used the emergencyWithdraw() function which happily gave the attacker the full original deposited funds back – no deductions for the borrow.
However, PlatypusDefi confirmed the hack on a recent Twitter post. Platypus Defi offers two main products:
AMM where users can deposit stable coins and receive LP tokens.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
Algorithmic stablecoin that’s pegged to the US dollar.
Dear Community,
We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism. They used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral.— Platypus ? (?+?+?) (@Platypusdefi) February 17, 2023
In 2021, bEarn Fi on the BSC chain lost $11M dollars on exactly same function emergencyWithdraw(pid). It’s a pity that people made the same mistake again in 2023. However, on chain sleuth ZachXBT posted on microblogging platform Twitter, that he’s traced the recent Platypusdefi hack funds to Retlqw a known scammer.
Hi retlqw since you deactivated your account after I messaged you.
I’ve traced addresses back to your account from the Platypusdefi exploit and I am in touch with their team and exchanges.
We’d like to negotiate returning of the funds before we engage with law enforcement.
ZachXBT was able to trace this hack exploits with ENS ‘retlqw.Eth address linked to Opensea and Twitter. Apparently, following intense community calls— Tether USDT blacklisted the stolen Platypusdefi funds with many degens asking how truly decentralized is the USDT stablecoin. In my honest opinion Tether is trying to secure the space and redeem itself from various allegations of auditing imbalances in the past and also not to have a face off from regulators for not taking appropriate measures to securing investors funds.
OxCygaar, a Software and Blockchain Engineer explains in-depth how the scammer exploited the USDC pair, he wrote “The hack starts by taking a flash loan out from Aave for 44 million USDC. For those that don’t know, a flash loan is a temporary loan that needs to be paid back in the same txn.
The exploiter then deposits this $44M into the Platypus USDC pool. This is one of the pools that makes up the Platypus AMM. In return, they receive $44M of Platypus’ LP token called LP-USDC”.
They then take the 44M LP-USDC and deposit that into a staking contract called MasterPlatypusV4 (based of Sushi’s MasterChef contract). Platypus allows LPs to borrow against their staked LP tokens (docs below).
The hacker used their deposit to borrow ~41.8M USP tokens. The 41.8M figure is the max amount they’re allowed to borrow against the 44M LP-USDC they put up. So the exploiter now holds 41.8M USP tokens and has 44M LP-USDC staked in the MasterPlatypus contract.
Everything up to this point has worked as intended. However, the hacker then calls the emergencyWithdraw function in the MasterPlatypus contract. This is where things break. You’ll notice on line 583 that the master contract calls PlatypusTreasure to see if the user is solvent and allowed to withdraw their staked LP-USDC.
The PlatypusTreasure code will in turn call MasterPlaytpus to get the amount of tokens staked to determine solvency. However, because the user’s staked amount is not yet set to 0 (line 599 of master), it appears that the user will still have 44M LP-USDC staked. This makes the PlatypusTreasure contract think that the user is solvent, which allows the emergency withdrawal to go through.
The rest of the exploit is straightforward: they swapped the LP-USDC back to USDC and returned the 44M USDC back to Aave. They then swapped as much of the 41.8M USP token for other stable coins as they could ($8.5M USDC/USDT/BUSD/DAI). The hacker still has 33M USP tokens.