Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The stablecoin trading project Platypus encountered a flash loan attack on AAVE, resulting in a total asset loss of approximately $9 million. According to the analysis, the vulnerability seems to lie in the verification of the MasterPlatypusV4 contract by the emergencyWithdraw function, which will only fail when the borrowed assets exceed the borrowing limit. The function then proceeds to transfer all of the user's deposit assets regardless of the value of the user's borrowed assets. On Feb. 18, The Block reported that at least $2.4 million has been recovered with the help of security firms after the Platypus hack. Attack method (per SlowMist): Flash Loan Attack. Reported loss: $ 9,000,000.
- chain
- —
- protocol
- Platypus
- bug_class
- access-control
- date_occurred
- 2023-02-17
- loss_usd
- $9,000,000
- source_id
- sm:platypus::2023-02-17