Although there is much reason to be excited about decentralized finance (DeFi), not everything goes according to plan. Projects with their own stablecoin are often the subject of attacks and exploits. That includes Platypus Finance, although its initial smart contracts contain some glaring issues.
Platypus Finance Gets Exploited
It is unfortunate to hear about any hack or exploit affecting a decentralized finance protocol. However, in the case of Platypus Finance, someone exploited a big oversight in the protocol’s code. It may be a small miracle no one attempted to exploit this issue before or for a larger sum. The project had over $1.3 billion in TVL in March 2022, although that has dropped below $45 million in recent months.
Per initial research, it appears the Platypus contract has an emergencyWithdraw() function. That isn’t abnormal, as quite a few protocols had or have a similar function. However, the attacker leveraged this code to deposit $44 million, borrow $42 million, and then get their original deposited funds back. There was no deduction for the borrowed amount, as that “check” doesn’t exist in the code.
In the two hour old Platypus hack, it looks the attacker deposited 44 million, borrowed 42 million, and then used the emergencyWithdraw(), which happily gave the attacker the full original deposited funds back – no deductions for the borrow. pic.twitter.com/QncRrRYg8j
— Daniel Von Fange (@danielvf) February 16, 2023
However, it seems the culprit can’t do much with their newly acquired wealth. The funds are seemingly stuck forever, and one person potentially associated with the hack has been identified already. Some addresses used during the Platypus attack tie to Twitter user Retlqw, who subsequently deleted their social media accounts.
In addition, the Platypus team is in touch with various exchanges to ensure the stolen funds can’t be cashed out. Unfortunately, that makes exploiting a protocol for roughly $8 million in total worthless. However, if they intended to destabilize the Platypus USD (USP) stablecoin’s peg, they succeeded in that mission. The currency dipped under $0.48, despite supposedly maintaining a $1 value.
What Comes Next?
While it seems unlikely the stolen funds will be cashed out, the hacker may not return them. As such, the Platypus team will have to find a way to retrieve it by other means. A bounty is set up to encourage the culprit to return the stolen money. It is unclear how big the bounty will be or what other recourse there may be if this effort falls through.
Additionally, Platypus will work with exchanges to prevent stolen USP from being used. A similar process will be launched with the help of all stablecoin issuers. Furthermore, the team will address the USP solvency check mechanism flaw to ensure this cannot happen again. User deposits are covered up to 35% of their initial amount, and none of the funds in other Platypus pools are affected.
Unfortunately, this incident is the umpteenth DeFi-related hack or exploit in recent years. Nevertheless, criminals continue to leverage flash loan exploits against any protocol with lackluster security. This was likely not the last attack against decentralized finance protocols either.
None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.
