In October 2023, Platypus Finance, a stablecoin based on the Avalanche blockchain, was the victim of its third hack in a single year. The attackers exploited a vulnerability in the project’s smart contracts to extract an estimated $2.2 million in Staked AVAX and Wrapped AVAX tokens.
Inside the Attack
Like earlier hacks of the Platypus Finance protocol, this hack exploited a price manipulation vulnerability. These vulnerabilities exist if the swap price for an asset pair is calculated inside of a smart contract’s code and is potentially manipulable by an attacker.
In this case, both the cash and liability values in the protocol’s smart contract had the ability to cause slippage in the swap price. If an attacker could create significant slippage, they could drain value from the protocol.
The attacker began by working to increase the liability. To do so, they deposited WAVAX tokens to LP-AVAX and sAVAX to the LP-sAVAX contract. Then, they used the LP-AVAX contract to swap sAVAX to WAVAX, reducing that contract’s cash reserves. Finally, they eliminated that contract’s cash reserves by withdrawing all WAVAX from the contract.
The end result of these actions was that the swap price of the contract was increased, creating an opportunity for the attacker to drain value from the contract. In the end, they were able to steal about $2.2 million from the protocol.
As in the past, this Platypus Finance exploiter was far from professional. After stealing the funds from the project, they left them in an insecure wallet. As a result, an estimated $575K of the stolen tokens were retrieved by the protocol. However, the remaining $1.6 million remains under the control of the attacker.
Lessons Learned from the Attack
Price manipulation vulnerabilities are a well-known threat to smart contracts. This is especially true for the Platypus Finance protocol, which has been hacked via the same means multiple times this year.
This type of vulnerability can be identified via a smart contract audit, and the protocol has undergone them in the past. However, the last audit was performed several months before the targeted smart contracts were deployed. As a result, vulnerable smart contracts were deployed. which resulted in another multi-million dollar hack of the protocol.
Smart contract audits should be performed before any new smart contract code is deployed to the blockchain to identify and fix vulnerabilities before they can be exploited by an attacker. For more information about protecting your smart contracts against similar attacks, get in touch.