Flash Loan Attack on Platypus Finance Contract Reveals Critical Vulnerability in MasterPlatypusV4 Contract

On February 17, according to the monitoring of Beosin EagleEye security risk monitoring, early warning and blocking platform of Beosin, a blockchain security audit company, the Platypus project contract on the Avalanche chain was attacked by a flash loan. The analysis of Beosin’s security team found that the attacker first lent USD44 million through the flash loan and then called the deposit function of the Platypus Finance contract to pledge, which would cast an equal amount of LP-USDC for the attacker, Then the attacker pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract, and called the positionView function to use_ The borrowLimitUSP function calculates the loanable balance_ The borrowLimitUSP function will return the percentage of the value of the pledged items in MasterPlatypusV4 as the maximum loanable limit. The return value is used to cast a large number of USPs (profit points) through the borrowfunction. Since the attacker has a large amount of debt (USP) borrowed by LP-USDC, it should not be able to extract the pledged items under normal logic, However, there is a problem with the emergencyWithdraw function check mechanism of MasterPlatypusV4 contract, which only detects whether the user’s borrowing amount exceeds the user’s borrowLimitUSP (borrowing limit) without checking whether the user repays the debt, which allows the attacker to successfully extract the collateral (44 million LP-USDC). After the repayment of 44 million USDC flash loan, the attacker still had 41794533 USD left, and then the attacker converted the profitable USD into various stable currencies worth 8522926 USD.

Beosin: Analysis of the attack event that the Platypus project on Avalanche chain lost US $8.5 million

Interpret the above information:


On February 17, the Platypus project contract on the Avalanche chain fell victim to a flash loan attack, as reported by Beosin EagleEye, a blockchain security audit company. The attacker reportedly borrowed USD44 million through the flash loan and used it to make a deposit in the Platypus Finance contract, which pledged an equal amount of LP-USDC for the attacker. The attacker then pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract and utilized its borrowLimitUSP function to calculate the maximum loanable limit. The attacker successfully extracted the pledged assets worth 44 million LP-USDC and earned a profit of over 41 million USD after repaying the flash loan.

The attack on the Platypus project contract is another example of the increasingly common flash loan attacks occurring in the decentralized finance (DeFi) space. Flash loans provide attackers with the ability to borrow large sums of money without collateral, luring attackers to maximize profit at minimal cost. DeFi platforms can minimize such attacks by implementing proper risk management measures and multifactor authentication processes that can help detect fraudulent transactions before they occur.

The Beosin security team’s analysis of the attack revealed a critical vulnerability in the emergencyWithdraw function check mechanism of the MasterPlatypusV4 contract. The check mechanism only detects whether the user’s borrowing amount exceeds the user’s borrowLimitUSP, without checking whether the user repays the debt. This flaw allowed the attacker to successfully extract the collateral, ultimately costing the Platypus project heavily. The incident highlights the need for businesses to conduct frequent security audits on their smart contract code to detect vulnerabilities, bugs, and other errors that can pose a threat.

The attack on the Platypus project contract points out the critical importance of security and caution in the DeFi space. DeFi platforms must implement proper risk management measures to safeguard their financial systems and the users who invest in them. Working with reputable blockchain security firms like Beosin can help detect and prevent attacks in the DeFi space, strengthen smart contracts and market transparency.

In conclusion, the recent flash loan attack on the Platypus project contract on Avalanche chain provides a cautionary tale for DeFi businesses, with severe implications for user security. The vulnerability of the MasterPlatypusV4 contract shows how security audits play a critical role in helping businesses protect their systems, validate security measures, and mitigate threats from attackers.