Decentralized finance (DeFi) protocol Platypus has suffered a significant security breach, resulting in a loss of over $2 million. The exploit, which took place on October 12, 2023, was the result of a flash loan attack.
Due to suspicious activities in our protocol, we have taken the proactive measure of temporarily suspending all pools.
Further updates will be communicated to the community in a timely manner.
Thank you for your patience and understanding during this time.
— Platypus 🔺 (🦆+🦦+🦫) (@Platypusdefi) October 12, 2023
Flash loans are a feature in decentralized finance that allows users to borrow assets without providing collateral, as long as the loan is repaid within the same transaction block. Regrettably, there have been instances where malicious actors have taken advantage of this system, either by manipulating market values or by identifying and exploiting weaknesses within DeFi protocols.
Two attackers have taken ~$1.3m WAVAX and ~913k sAVAX
Platypus have since suspended pools while they investigatehttps://t.co/ZzBfmaLmzN
— CertiK Alert (@CertiKAlert) October 12, 2023
The attack specifically targeted the AVAX-sAVAX liquidity pool. Two attackers reportedly took about $1.3 million worth of wrapped AVAX (WAVAX) and about $913,000 in liquid-staked AVAX (sAVAX). In response to the attack, Platypus suspended all of its pools. The protocol is currently investigating the incident and working towards resolving the issue.
— PeckShield Inc. (@peckshield) October 12, 2023
This Wasn’t Platypus DeFi’s First Attack
This is not the first time Platypus has experienced a security breach. In February 2023, the protocol suffered a similar flash loan attack, resulting in a loss of $8.5 million. That incident exploited a vulnerability in Platypus’ native stable token’s USP solvency check mechanism.
In March, the DeFi protocol established a restitution portal for those affected by the February breach. This portal served as a platform for users to confirm their eligible reimbursement from the system and voice any issues before the allocation of funds.
As of September, the Platypus team had recovered about 61.7% of the original losses incurred by its liquidity pools during the USP exploit. They used a reserved treasury to initiate a second phase of compensation on September 26.
The recent attacks underscore the need for enhanced security measures within DeFi protocols. As the industry continues to grow and evolve, it’s clear that there’s still much work to be done to ensure the safety and security of digital assets.