On Twitter, the security company CertiK Alert reported that the stablecoin trading project Platypus had been the target of an AAVE flash loan assault, which caused total asset losses of about $9 million.
A portion of the stolen money was transmitted to the EOA and AAVE pools, while the majority is still in the attacker's contract address.
The MasterPlatypusV4 contract's EmergencyWithdraw function, which will only fail when the borrowed asset exceeds the borrowing limit, looks to be the weak point.
Regardless of the value of the user's borrowed assets, this function then transfers all of the user's deposited assets. Here is the precise procedure:
- In exchange for 44 million LP-USD, the attacker received 44 million USDC from Platypus' USDC assets (LP-USDC). The attacker then funds MasterPlatypusV4 with LP-USD.
- When the attacker wants to fill the contract coffers with 41.79 million USP, they use the loan() function. This sum, which is equal to 95% of the user's collateral, is the maximum permitted under the loan limit.
- The value of isSolvent returns "yes" since the attacker does not borrow more than 95% of the upper limit, enabling the attacker to use the EmergencyWithdraw function and all 44 million LP-USDC.
- The attacker started exchanging USP for different assets through the Platypus Finance team after withdrawing 44 million USDC from Platypus USDC assets (LP-USDC).
The platform suffered a total loss of about $9 million after repaying the flash loan. On the official Telegram group, the team announced:
“We are currently working to assess the situation and will be in touch promptly. For now, all action has been paused until the situation is over becomes clearer.”
The original stablecoin for the Platypus USP project has de-anchored at $0.4785.