Full Report
Platypus Finance has joined the leaderboard for a second time! The smart contracts had been audited. However, they recently added some new functionality, which got them pwned. The attack was from a price manipulation issue. The swap price depends on the ratio of cash in the protocol. By manipulating the cash and liability of the protocol, the slippage drastically increases. Eventually, this leads to much less funds than anticipated to be sent for a trade. To do this, the attacker takes out several large flash loans. From there, they deposit wAVAXto LP-AVAX and stake AVAX to LP-sAVAX. This was done in order to increase the liability of both the contracts. Next, the attacker swaps in sAVAX to wAVAX to reduce the cash of the LP-AVAX contract. Finally, they remove all of the available cash by withdrawing the wAVAX. The setup was complete: almost no cash is within the contract. The attacker performs a swap with the manipulated price to steal a bunch of funds. Absolutely wild. I don't fully understand the manipulation, since I'm not familiar with the protocol, but it's interesting none-the-less.
Analysis Summary
# Incident Report: Platypus Finance Flash Loan Price Manipulation
## Executive Summary
On October 13, 2023, Platypus Finance, a decentralized exchange on the Avalanche network, was exploited via a flash loan attack that manipulated the protocol’s price discovery mechanism. The attacker exploited a vulnerability in the calculation of "cash" and "liability," artificially inflating slippage to drain approximately $2.2M in assets. This marks the third major security incident for the protocol within an eight-month period.
## Incident Details
- **Discovery Date:** October 13, 2023
- **Incident Date:** October 13, 2023
- **Affected Organization:** Platypus Finance
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Decentralized (Avalanche Blockchain)
## Timeline of Events
### Initial Access
- **Date/Time:** Friday, October 13, 2023
- **Vector:** Exploitation of smart contract logic via flash loans.
- **Details:** The attacker utilized three specific transactions to interact with the LP-AVAX and LP-sAVAX pools.
### Lateral Movement
- **N/A:** As a DeFi exploit, the "movement" involved manipulating state variables (specifically the `actualToAmount` value) within the protocol's liquidity pools to create favorable conditions for a malicious swap.
### Data Exfiltration/Impact
- **Financial Loss:** Approximately $2,200,000 in WAVAX and sAVAX was drained from the liquidity pools.
- **Contract Impact:** The attacker manipulated the ratio of cash to liability, effectively removing almost all available cash from the LP-AVAX contract.
### Detection & Response
- **Monitoring:** Security entities (CertiK, PeckShield) raised alarms as losses began to mount.
- **Response Actions:** The Platypus team proactively suspended all liquidity pools to prevent further drainage. Hummus Exchange (a fork) also paused its pools to avoid a similar fate.
## Attack Methodology
- **Initial Access:** Smart contract interaction via malicious contracts (0x4cfb52... and 0xf2c444...).
- **Persistence:** None required (atomic transaction).
- **Discovery:** Reconnaissance of the protocol's price oracle and slippage formulas, particularly how new functionality handled "cash" vs. "liability."
- **Collection:** Flash loaning large amounts of WAVAX and sAVAX.
- **Impact (The Maneuver):**
1. **Liability Inflation:** Deposited WAVAX to LP-AVAX and sAVAX to LP-sAVAX to increase contract liabilities.
2. **Cash Depletion:** Swapped sAVAX for WAVAX to reduce the cash reserves in the LP-AVAX contract.
3. **Liquidity Draining:** Withdrew remaining WAVAX to leave the contract with near-zero cash.
4. **Price Exploitation:** With high liability and zero cash, the slippage formula was broken, allowing the attacker to perform a final swap and extract the profit.
## Impact Assessment
- **Financial:** ~$2.2M stolen; approximately $575k was later recovered due to an error in the attacker's contract.
- **Operational:** Total suspension of the Platypus Finance protocol and its forks.
- **Reputational:** Massive loss of trust; this was the third exploit in 2023 (following an $8.5M loss in February and a $150k loss in July).
## Indicators of Compromise
- **Attacker Addresses:**
- 0x0cd4fd0eecd2c5ad24de7f17ae35f9db6ac51ee7
- 0x464073f659591507d9255b833d163ef1af5ccc2c
- **Malicious Contracts:**
- 0x4cfb527f51b391ecb1a5197edc7a38160c261b6f
- 0xf2c444572a402ec83b7cb64e4a9fc2188f0628f2
- **Behavioral:** High-volume flash loan activity followed by extreme slippage fluctuations in the LP-AVAX pool.
## Response Actions
- **Containment:** Proactive suspension of all smart contract pools.
- **Recovery:** Successfully "white-hacked" or recovered $575,000 of the stolen assets.
- **Eradication:** Investigation into the logic error in the swap formula.
## Lessons Learned
- **Audit Limitations:** The protocol had been audited by Hacken and Omniscia, but these audits were conducted long before the specific vulnerable code was deployed. Audits must be continuous and cover all new feature additions.
- **Economic Stress Testing:** Price manipulation via flash loans remains the primary vector for DeFi exploits. Protocols must simulate extreme cash/liability ratios during the development phase.
## Recommendations
- **Continuous Auditing:** Mandate delta-audits for any change in smart contract logic or new pool additions.
- **Slippage Guardrails:** Implement hard caps on slippage or circuit breakers that trigger when the cash-to-liability ratio reaches dangerous thresholds.
- **Flash Loan Resilience:** Use time-weighted average prices (TWAP) or decentralized oracles (like Chainlink) rather than relying on internal contract balances to determine asset prices.