According to the monitoring of Beosin EagleEye, a subsidiary of Beosin, the Platypus project contract on the Avalanche chain was attacked by a flash loan. The Beosin security team analyzed and found that the attacker first borrowed 44 million USDC through the flash loan and then called the deposit function of the Platypus Finance contract to pledge. The attacker mints the same amount of LP-USDC, and then pledges all LP-USDC into the No. 4 pool of the MasterPlatypusV4 contract, and then calls the positionView function to use the _borrowLimitUSP function to calculate the loanable balance. The _borrowLimitUSP function will return the The percentage of the value of the pledged items in MasterPlatypusV4 is used as the upper limit of the loan, and the return value is used to mint a large amount of USP (profit point) through the borrow function. Since the attacker has a large amount of debt (USP) borrowed by LP-USDC, then in normal Logically, the collateral should not be able to be withdrawn, but there is a problem with the emergencyWithdraw function checking mechanism of the MasterPlatypusV4 contract. It only detects whether the user's loan amount exceeds the user's borrowLimitUSP (borrowing limit) without checking whether the user has repaid the debt , so that the attacker successfully extracted the collateral (44 million LP-USDC). After repaying the 44 million USDC flash loan, the attacker still had 41,794,533 USP left, and then the attacker converted the profitable USP into various stablecoins worth 8,522,926 US dollars. .
Anais
