Platypus Finances Suffers $2.23m Loss in Flash Loan Exploit

Platypus Finance, a decentralized finance (DeFi) protocol, has fallen victim to yet another flash loan exploit, resulting in the loss of $2.23 million across three separate attacks that occurred on October 12, 2023, according to CertiK, a blockchain security firm.

In response to the attack, the protocol took the precautionary measure of suspending all its pools. The series of attacks unfolded methodically with the following procedure: the first attack, transpiring on October 12, saw $1.2 million extracted from the platform. Subsequently, a second attack occurred mere hours later, resulting in the theft of $575,000 worth of assets. Astonishingly, just a minute later, the third attack transpired, causing the loss of an additional $450,000 in assets.

The Platypus Finance protocol originated as a single-side Automated Market Maker (AMM) tailored for exchanging stable cryptocurrencies (ERC20 tokens) within the Avalanche blockchain ecosystem. Over time, Platypus has sought to innovate within the stablecoin and stableswap domains by amalgamating these functionalities, utilizing its underlying assets.

The protocol operates via a network of smart contracts designed to prioritize attributes like censorship resistance, security, self-custody, and capital efficiency. Its introduction of open liquidity pools for stableswap purposes represents a departure from conventional liquidity models, potentially addressing issues related to impermanent loss for liquidity providers and reducing trading slippage for users. In 2021, the platform secured $3.3 million in funding through a round led by Three Arrows Capital, which is currently bankrupt.

Flash loan attacks exploit vulnerabilities that enable traders to borrow cryptocurrencies instantaneously, bypassing the need to provide collateral for the transaction. CertiK also recently published a report on the state of crypto exploits.

The recent flash loan attack on Platypus marks the third such incident in 2023, signifying an ongoing vulnerability for the protocol. An earlier attack on February 16 resulted in a substantial loss of $8.5 million, paralleled by the depegging of the Platypus USD (USP) stablecoin, causing its value to plummet from $1 to $0.48. Additionally, CertiK reports that in July, the platform incurred another loss of approximately $157,000 due to a flash loan exploit. In response to the February attack, the DeFi protocol established a compensation portal in March. This portal was instrumental in assisting victims in assessing the compensation they were eligible for and provided a platform for expressing concerns before the distribution of funds.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.