Platypus Stablecoin USP Hack Analysis — Withdraw funds without paying the debt
Overview:
On February 16th, 2023, a hack on the platypus stablecoin DeFi platform lets an attacker withdraw funds without paying back the loans they had previously taken out. During the smart contract hack analysis, it was discovered that the emergency Withdraw feature did not verify that the user had paid back the loan before enabling them to transfer funds directly from the pool, resulting in a loss of approximately $9.05M.
Smart Contract Hack Overview:
- Attackers transaction: 0x1266a9,0x997bfe1,0x919266
- Attacker’s contract: 0x67afdd6
- Attacker’s address: 0x503fcc0,0x67afdd
- Platypus-Treasure Code: 0xbcd6796
- MasterPlatypusV4 contract Code: 0xc007f27b7
- AVAX-contract Code:0xfe22fdb6ae7
- LP-USDC Proxy Code: 0xaef735b
- USP-Proxy Code: 0xdacde
- PTP-contract Code: 0x22d40020
- Complete Exploit flow mind-map: 0xeff003d64046
- Stolen Funds remain here: 0x54cdcbdba
Decoding the Smart Contract Vulnerability:
- The attacker began by obtaining a flash loan from AAVE for 44M USDC to deposit to Platypus Finance Pool and minted ~44M LP-USDC equivalent.
- The attacker then borrowed 42 million USP tokens from the Platypus Treasury and placed 44 million LP-USDC tokens into the MasterPlatypusV4 contract.
- The attacker calls the emergencyWithdraw() function of the MasterPlatypusV4 contract where the contract gets broken, the function first checks if a user isSolvent. Since the user.amount was not set to zero, the platypus finance contract treated the user as solvent and permitted emergency withdrawal.
- To further exploit the loophole attacker withdrew 44M USDC from the Platypus Finance pool and swapped USP to USDT, BUSD, DAI, and USDC.e to gain profits, and the flash loan was repaid at last.
Mitigation and Best Practices:
- To prevent reentrancy attacks, consider moving the
lpToken.transfer()call to the end of the function after all other state changes have been made. Alternatively, consider using the `OpenZeppelin ReentrancyGuard library`, which provides more robust protection against reentrancy attacks. - Add a check to ensure that the
user.amountis greater than or equal to the amount being withdrawn before transferring the tokens to the user. - Update the
usersbalance so that it can’t be treated as a solvent to the platypus finance contract. - To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord
