The DeFi application Platypus Finance has suffered a $9 million attack, according to a series of tweets from the blockchain security firm CertiK on Feb. 16.
That report states that an attacker used flash loans on the Avalanche (AVAX) blockchain to exploit a function in one of Platypus’ smart contracts.
The attacker deposited $44 million of stablecoins into the application. With the assets obtained, the attacker could mint a similar amount of Platypus’ USP stablecoin (41.79 million USP). The attacker then exploited an emergency withdrawal function to access the original $44 million deposit and the minted USP. Finally, the attacker swapped the USP for other assets before paying back the loan.
The final difference, and the estimated loss for Platypus, was $9 million. Most of the stolen funds reportedly remain in the attacker’s contract address, though some have been sent to certain pools. Presumably, a portion of that amount can be returned or recovered.
Platypus confirmed the flash loan attack in a message on Telegram and Discord. It wrote that it is assessing the situation and will pause operations.
This line of attack is not unique to Platypus. Several other DeFi platforms have been targeted by flash loans in recent months, including Mango Markets in October, New Free DAO in September, Nirvana Finance last July, and Deus DAO last April.
Update: Platypus has recovered $2.4 million from the attack as of Feb. 18.
The SEC vs. Paxos: A deep dive into the implications of the lawsuit and its effects on stablecoins
The SEC’s notice to Paxos to stop minting BUSD could have longstanding implications on the crypto market. CryptoSlate’s new report explores the recent and potential consequences of enforcement action against Paxos.