How USP Depegging on Avalanche-Based Platypus Finance Was Caused by a Solvency Check Error

Avalanche Based Platypus Finance

Platypus Money’s local stablecoin tumbled to 48 pennies from $1 prior on Friday following the assault

According to the developers, Platypus Finance’s USP stablecoin lost more than 50% of its intended peg with US dollars earlier on Friday due to a flaw in a key pricing mechanism.

Platypus posted a message on its Twitter account that read, “We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism.” They took advantage of a logic flaw in the USP solvency check mechanism of the collateral-holding contract by means of a flash loan.

Platypus smart contracts were deceived by the solvency check mechanism into thinking that USP was fully backed as intended. Additionally, the exploit began there.
Similar to other decentralized stablecoin exchanges, Platypus Finance uses smart contracts to exchange stablecoins cheaply and with low slippage rather than middlemen. As of Thursday, the product had more than $50 million worth of locked tokens.

Exploiters used a flash-loan attack on Platypus on Thursday night, stealing more than $8.5 million from the company.

Things to know

One kind of stablecoin is USP. The amount of USP that is available in a location known as the Main Pool affects its price, and as more individuals exchange other forms of digital money for USP, the price may slightly decrease.

The cost rises once more when there is less USP in the Main Pool. People who borrow USP pay a fee, which goes up as more USP enters the Main Pool in order to keep the price at $1. People are encouraged to borrow more money or pay back their debts as a result of this.

Decentralized finance (DeFi)-a specific mechanism known as a flash loan lets users borrow large sums of money with little or no collateral as long as the loan is repaid in the same transaction.

Loans in a flash are not always bad: Traders typically make use of them, but criminals may also use flash loans to trick a protocol’s smart contract into changing liquidity pool prices and taking over that pool’s assets.

How the attacker stole millions

According to data from the blockchain, the exploiter obtained the flash loan by borrowing more than $44 million from the lending platform Aave. They then used that money to supply liquidity to a trading pool on Platypus and deceived smart contracts into issuing $44 million of the LP token, which is called LP-USDC, in return.

All of this took place in two separate transactions. After that, these LP tokens were put into a contract for staking on Platypus, which gave out 11,000 platypus (PTP) tokens as a reward for staking.

Because Platypus allows users to borrow USP stablecoins against their LP positions, the attacker was also able to obtain 41 million USP tokens by using the $44 million LP tokens as collateral.

The attacker used the Platypus smart contract’s “emergency withdraw” function at this point to take the $44 million that was initially given to the Platypus liquidity pool. The code’s solvency check error did not stop this from happening, so the attacker was able to take the tokens and pay back the Aave flash loan.

However, the 41 million USP tokens that were issued were not revoked by the system, allowing the attacker to exchange them for the $8.5 million in liquidity on Platypus at the time.

As of Friday, Platypus claimed to have gotten in touch with the assailant to negotiate a bounty in return for the return of the funds.

It also stated that crypto exchanges and relevant security parties were contacted. To prevent further losses and freeze the hacker’s funds, we are currently collaborating with Binance, Tether, and Circle. The USDT is frozen right now.

Developers tweeted, “We are also looking into options for compensating and reimbursing affected investors.”

At the time of writing, USP was trading for 47 cents on Friday morning.