Outsmarted by crypto hackers, a De-Fi platform had US$9m siphoned off its system in a flash (loan)!

On 16 Feb this year, US$9m was stolen from a DeFi platform by attackers exploiting a vulnerability in the system’s solvency checking process.

At present, some US$8.5m worth of assets remain in the contract the attackers deployed. The rest had been transferred to an externally-owned address and an Aave pool ($171,000 and $399,400 respectively).

The DeFi platform, Platypus, uses a solvency check function that does not take into account the value of the user’s debt. It only checks whether the debt amount has reached the maximum limit. So, after the solvency check passes, the contract allows the user to withdraw all deposited assets

The attack involves the follow steps:

    1. The attacker deposits 44m USDC to the Platypus USDC pool and gains 44m LP-USDC liquidity provider tokens.
    2. The 44m LP-USDC is deposited into a MasterPlatypusV4 contract containing the vulnerability. The platform’s borrow limit is set to 95%, meaning that the attacker can borrow at most 41.8m USP against their 44m LP-USDC.
    3. The attacker borrows 41.8m USP in the contract PlatypusTreasure. Since the borrowed USP amount does not exceed the limit, the system’s bug allows the attacker to withdraw the entirety of their 44m LP-USDC using an EmergencyWithdraw feature.
    4. The attacker withdraws a total of 43,999,999,921,036 USDC (LP-USDC) after paying the liquidity removal fee.
    5. The attacker repays the flash loan and profits approximately $9m in the form of multiple stablecoins:
      • 2,425,762 USDC
      • 1,946,900 USDC.e
      • 1,552,550 USDT
      • 1,217,581 USDT.e
      • 687,369 BUSD
      • 691,984 DAI.e

The suspicious flash loan transaction targeting the platform was flagged by CertiK.

According to one Twitter observer, the platform then updated its pool contract to counter-exploit US$2.4m in USDC from the hacker. Since then, the firm has also fixed the vulnerability in the MasterPlatypusV4 smart contract.