Beosin: Analysis of the attack event that the Platypus project on Avalanche chain lost US $8.5 million

On February 17, according to the monitoring of Beosin EagleEye security risk monitoring, early warning and blocking platform of Beosin, a blockchain security audit company, the Platypus project contract on the Avalanche chain was attacked by a flash loan. The analysis of Beosin’s security team found that the attacker first lent USD44 million through the flash loan and then called the deposit function of the Platypus Finance contract to pledge, which would cast an equal amount of LP-USDC for the attacker, Then the attacker pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract, and called the positionView function to use_ The borrowLimitUSP function calculates the loanable balance_ The borrowLimitUSP function will return the percentage of the value of the pledged items in MasterPlatypusV4 as the maximum loanable limit. The return value is used to cast a large number of USPs (profit points) through the borrowfunction. Since the attacker has a large amount of debt (USP) borrowed by LP-USDC, it should not be able to extract the pledged items under normal logic, However, there is a problem with the emergencyWithdraw function check mechanism of MasterPlatypusV4 contract, which only detects whether the user’s borrowing amount exceeds the user’s borrowLimitUSP (borrowing limit) without checking whether the user repays the debt, which allows the attacker to successfully extract the collateral (44 million LP-USDC). After the repayment of 44 million USDC flash loan, the attacker still had 41794533 USD left, and then the attacker converted the profitable USD into various stable currencies worth 8522926 USD.

Interpretation of this information:

On February 17th, the Platypus project contract on the Avalanche chain was attacked by a flash loan. The attacker borrowed $44 million through the flash loan and then called the deposit function of the Platypus Finance contract to pledge LP-USDC for the same amount. The attacker then pledged all LP-USDC into pool 4 of the MasterPlatypusV4 contract and used the borrowLimitUSP function to calculate the maximum loanable balance. They then borrowed a large number of USPs using the borrow function. However, due to a problem with the emergencyWithdraw function check mechanism of MasterPlatypusV4 contract, the attacker was able to successfully extract the collateral ($44 million LP-USDC) even though they had a large amount of debt (USP) borrowed by LP-USDC. After repaying the flash loan, the attacker still had $41,794,533 left, which they converted into various stable currencies worth $8,522,926.