- Decentralised exchange runs on the Avalanche blockchain.
- Two attacks struck venture and exploited smart contract weakness.
- Platypus team has recovered a portion of the filched funds.
Hackers have swiped $1.6 million from Platypus Finance, a decentralised exchange running on the Avalanche blockchain, in the third attack targeting the protocol this year.
Two transactions early Thursday morning took advantage of a bug in the protocol’s code to withdraw staked Avalanche tokens, onchain data shows. The first transaction extracted $1.2 million, the second around $450,000.
It’s not clear if the first and second hack were carried out by the same perpetrators or different ones.
“It’s concerning to see a platform experience multiple flash loan/oracle manipulation exploits in the course of a single year,” Hugh Brooks, director of security at crypto security firm CertiK, told DL News.
Brooks said that the hacker appeared to have manipulated asset prices to cause an imbalance in Platypus’ liquidity pools, allowing them to trick the protocol into letting them withdraw more funds than they should be able to.
“Due to suspicious activities in our protocol, we have taken the proactive measure of temporarily suspending all pools.” said a post from the Platypus Finance official X account shortly after the attacks took place. “Further updates will be communicated to the community in a timely manner.”
According to Igor Igamberdiev, head of research at crypto trading firm Wintermute, the hacker exploited a logic bug in the Platypus exchange’s smart contracts.
He explained the exploit involved first taking out flash loans then swapping between large amounts of wrapped and staked Avalanche — two tokens which normally trade at a similar value — to create a price imbalance. The hacker then exploited this price difference to withdraw large amounts of staked Avalanche at little cost.
“It was because of the wrong slippage calculation at the extreme value,” Igamberdiev said. “The exploiter got a positive slippage when he shouldn’t.”
At its peak in March last year, Platypus held more than $1.2 billion worth of user deposits. But after a crypto winter and numerous hacks, the exchange now holds less than $10 million.
Platypus is a decentralised exchange designed for swapping stable cryptocurrencies, such as wrapped and staked versions of Avalanche’s native AVAX token, as well as stablecoins.
The protocol also issued its own stablecoin called Platypus USD which lost parity with the dollar following a previous hack in February this year.
After the initial exploits, the Platypus team appears to have recovered $575,000 from the first hacker.
Igamberdiev explained that the first hacker left some of the stolen funds in their malicious contract. In order to conduct the exploit, the hacker approved transfers for staked and wrapped Avalanche tokens. However, these approvals also let the Platypus team move these tokens out of the hacker’s contract and back to their treasury.
“The Platypus team just changed the implementation and did transferFrom using these approvals because the copycater didn’t move funds,” Igamberdiev said.
In addition to taking back the stolen tokens the Platypus team have also reached out to the hacker in an attempt to negotiate a deal.
“We would like to negotiate returning of the funds. Please get back to us via Twitter, TG or via on-chain message,” said an onchain message sent to the hacker’s wallet.
DL News reached out to Platypus but did not immediately receive a response.
Platypus has suffered multiple exploits this year.
In February, a hacker stole approximately $8.5 million from Platypus using flash loans to exploit a bug in the exchange’s solvency check mechanism.
Platypus later identified the hacker, who had started using Binance to cash out their ill-gotten gains. The exchange recovered several million worth of stolen assets and guaranteed to return a minimum of 63% of lost funds to users.
Then in July, Platypus suffered another smaller exploit, costing it $51,000. As before, a hacker used a bug in the exchange’s code logic to withdraw funds.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out to him with tips at firstname.lastname@example.org.