A decentralized exchange named Platypus Finance, operating on the Avalanche blockchain, has been targeted in its third attack this year, resulting in the theft of $1.6 million. Onchain data reveals that two transactions occurred in the early hours of Thursday, exploiting a bug in the protocol's code to withdraw staked Avalanche tokens. The initial transaction extracted $1.2 million, followed by a second transaction of approximately $450,000. It remains unclear whether the same individuals or separate hackers were responsible for both incidents.
CertiK's director of security, Hugh Brooks, expressed concern regarding the platform's susceptibility to multiple flash loan and oracle manipulation exploits within a single year. According to Brooks, the hacker manipulated asset prices to create an imbalance in Platypus' liquidity pools. This manipulation tricked the protocol into allowing the hacker to withdraw more funds than they were entitled to.
Wintermute's head of research, Igor Igamberdiev, explained that the hacker exploited a logic flaw in Platypus' smart contracts. The exploit involved utilizing flash loans and swapping large amounts of wrapped and staked Avalanche tokens, which typically have similar values. By creating a price imbalance through this process, the hacker could successfully withdraw significant amounts of staked Avalanche without incurring substantial costs.
Previously, in February, Platypus suffered a hack that resulted in the loss of around $8.5 million. The hacker utilized flash loans to exploit a bug in the exchange's solvency check mechanism. However, the exchange successfully identified the hacker, recovered a significant portion of the stolen assets, and promised to return at least 63% of the lost funds to affected users.
Despite the recent hack, the Platypus team managed to recover $575,000 from the first hacker by moving the stolen funds out of their malicious contract and back into their treasury. Additionally, they have attempted to negotiate with the hacker through an onchain message.
Platypus, once holding over $1.2 billion worth of user deposits, has faced significant challenges due to multiple hacks and market volatility. Currently, the exchange holds less than $10 million in assets. It primarily serves as a decentralized trading platform for stable cryptocurrencies, including wrapped and staked versions of Avalanche's native AVAX token and stablecoins. Earlier this year, Platypus also experienced a hack in February, causing its stablecoin, Platypus USD, to lose parity with the dollar.
DL News reached out to Platypus for comment but has not received an immediate response.