1. PixelPlaygroundHome
  2. Blockchain Briefs

Platypus Project on Avalanche Chain Attacked by Flash Loan

Blockchain Briefs 105 views

On February 17, according to the monitoring of Beosin EagleEye security risk monitoring, early warning and blocking platform of Beosin, a blockchain security a…

Platypus Project on Avalanche Chain Attacked by Flash Loan

On February 17, according to the monitoring of Beosin EagleEye security risk monitoring, early warning and blocking platform of Beosin, a blockchain security audit company, the Platypus project contract on the Avalanche chain was attacked by a flash loan. The analysis of Beosin’s security team found that the attacker first lent USD44 million through the flash loan and then called the deposit function of the Platypus Finance contract to pledge, which would cast an equal amount of LP-USDC for the attacker, Then the attacker pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract, and called the positionView function to use_ The borrowLimitUSP function calculates the loanable balance_ The borrowLimitUSP function will return the percentage of the value of the pledged items in MasterPlatypusV4 as the maximum loanable limit. The return value is used to cast a large number of USPs (profit points) through the borrowfunction. Since the attacker has a large amount of debt (USP) borrowed by LP-USDC, it should not be able to extract the pledged items under normal logic, However, there is a problem with the emergencyWithdraw function check mechanism of MasterPlatypusV4 contract, which only detects whether the user’s borrowing amount exceeds the user’s borrowLimitUSP (borrowing limit) without checking whether the user repays the debt, which allows the attacker to successfully extract the collateral (44 million LP-USDC). After the repayment of 44 million USDC flash loan, the attacker still had 41794533 USD left, and then the attacker converted the profitable USD into various stable currencies worth 8522926 USD.

Beosin: Analysis of the attack event that the Platypus project on Avalanche chain lost US $8.5 million

Interpretation of the news:


According to the Beosin EagleEye security risk monitoring, Platypus project contract was attacked by a flash loan on the Avalanche chain on February 17th. The attacker borrowed USD 44 million through a flash loan and called the deposit function of the Platypus Finance contract to pledge LP-USDC. Then the attacker pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract and called the positionView function to calculate the maximum loanable balance using the borrowLimitUSP function. Using this calculated value, the attacker borrowed a large number of USPs through the borrow function.

Due to the large amount of debt (USP) borrowed by LP-USDC, the attacker should not be able to extract the pledged items under normal logic. However, there is a flaw in the emergencyWithdraw function check mechanism of the MasterPlatypusV4 contract which allowed the attacker to successfully extract the collateral (44 million LP-USDC) without repaying the debt.

The attacker was still left with USD 41,794,533 after repaying the flash loan of USD 44 million. The attacker then converted the profitable USD into various stable currencies worth USD 8,522,926.

This incident highlights the need for robust security measures in the blockchain industry. Flash loans have become an increasingly popular tool for attackers to exploit vulnerabilities in smart contracts. It is essential for blockchain companies to conduct regular security audits and implement necessary measures to prevent such attacks.

The involvement of Beosin EagleEye in monitoring and detecting the attack reflects the importance of third-party security auditing services in the blockchain industry. Companies can benefit from utilizing the services of companies such as Beosin for comprehensive blockchain security risk monitoring and early warning.

In conclusion, this attack on the Platypus project contract on the Avalanche chain serves as a reminder of the importance of blockchain security and vulnerability management. Companies in the blockchain industry must prioritize security measures to prevent attacks and ensure the safety of their users and investors.

This article and pictures are from the Internet and do not represent Fpips's position. If you infringe, please contact us to delete:https://www.fpips.com/1161/

It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.

Like (0)
Previous 02/17/2023 03:24
Next 02/17/2023 03:41

Recommended articles