{"id":520094,"date":"2023-02-17T23:18:17","date_gmt":"2023-02-17T23:18:17","guid":{"rendered":"https:\/\/uniquehot.com\/?p=520094"},"modified":"2024-06-11T14:32:38","modified_gmt":"2024-06-11T14:32:38","slug":"a-botched-heist-a-look-at-the-sloppy-8-5m-hack-on-platypus-protocol","status":"publish","type":"post","link":"https:\/\/uniquehot.com\/news\/a-botched-heist-a-look-at-the-sloppy-8-5m-hack-on-platypus-protocol\/","title":{"rendered":"A Botched Heist: A Look At The Sloppy $8.5M Hack On Platypus Protocol"},"content":{"rendered":"
Avalanche-based Platypus Protocol, an AMM that was less than two weeks into launching it’s new stablecoin USP, suffered an $8.5M flash loan attack on Thursday. There’s plenty to talk about recently about stablecoins, but this story isn’t about regulation – but rather about community-issued enforcement and collaboration to rectify actions from the hack.<\/p>\n
In less than 24 hours, community collaboration has allowed Platypus to recover almost a third of the funds – and the hacker has sleuths hot on his tail.<\/p>\n
On the cusp of robust SEC and stablecoin discussion, including drama surrounding Paxos-issued BUSD and the SEC’s new suit against Do Kwon and Terraform Labs (creators of the Terra stablecoin UST), there’s more stablecoin madness this week that is unrelated to regulation.<\/p>\n
Platypus Finance has operated in the Avalanche ecosystem for some time now as an established AMM operating a liquidity pool, and recently launched a stablecoin, USP, pegged to the US dollar.<\/p>\n
On Thursday, a hacker who routinely identifies as ‘retlqw’ used a flash loan to take advantage of Platypus’ code. They sought to deploy a single contract to exploit Platypus, but the work has generally been seen as sloppy and a result of ‘poor coding’ rather than ‘good exploiting.’ The hacker took a flash loan from Aave for 44M USDC, deposited it to the Platypus pool for liquidity pool tokens. The exploiter deposited those liquidity pool tokens into a staking contract, allowing them to borrow a massive amount of USP tokens.<\/p>\n
This is all standard procedure, up until now: the hacker than took advantage of a ’emergencyWithdraw’ function, which manipulated the code to allow the hacker to swap back the liquidity pool tokens, returning the flash loan from Aave, and still maintain the USP token. The hacker swapped USP tokens for as much as they could at that moment – roughly $8.5M worth of stablecoins.<\/p>\n
<\/p>\n
Platypus Finance (PTP) native token has seen substantial volatility through up's and down's lately. | Source: PTP-USDT on TradingView.com<\/a><\/pre>\n\n