Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 124Flash Loan Attack

Platypus Finance Emergency Withdraw

$8.5M drained from Platypus on Avalanche via a flash-loan exploit of emergencyWithdraw(), which let attackers pull staked collateral pre-repayment.

Date
Victim
Platypus Finance
Chain(s)
Avalanche
Status
Partially Recovered

On February 16, 2023, the Avalanche stablecoin AMM Platypus Finance was exploited for approximately $8.5 million through a flash-loan attack on a misimplemented emergencyWithdraw() function. The exploit also broke the peg of Platypus' USP stablecoin, which fell more than 66% below $1.

What happened

Platypus' PlatypusTreasure contract let users deposit LP tokens as collateral and borrow USP, the protocol's native stablecoin, against them. The collateral-holding contract included an emergencyWithdraw() function intended for users to recover their stake during a protocol emergency.

The fatal flaw: emergencyWithdraw() did not check whether the user had any outstanding borrows against their collateral before releasing it. The protocol's solvency assumption — that no one could remove collateral while owing USP — was silently broken by this single function.

The attack:

  1. The attacker took a $44M USDC flash loan from Aave.
  2. Deposited the USDC into the Platypus pool, receiving LP tokens.
  3. Staked the LP tokens in MasterPlatypusV4, registering as a depositor.
  4. Borrowed the maximum — 95% of the staked value — in USP from PlatypusTreasure.
  5. Called emergencyWithdraw() to pull the staked LP tokens back out without repaying the borrow.
  6. Withdrew the underlying USDC from the LP position, repaid the flash loan, and walked with the borrowed USP plus profit.

The borrowed USP was sold for real assets, depegging USP in the process.

Aftermath

  • Platypus paused all pool operations immediately and offered the attacker a white-hat bounty.
  • The attacker's wallet was identified within hours; investigators traced it through Tornado Cash to a Curve deposit and ultimately to a French citizen who was arrested in France within days. French law enforcement confiscated approximately $7.3M of the stolen funds.
  • Platypus published a detailed post-mortem and resumed operations months later under a redesigned solvency model.

Why it matters

Platypus is a striking case for how quickly on-chain forensics + traditional law enforcement can move when an attacker makes operational mistakes. It's also a clean illustration that "emergency" functions are not exempt from the protocol's solvency invariants — every function that mutates user balances, including the ones meant for graceful failure modes, must run the same health checks as the normal-path functions. Euler Finance lost $197M to a structurally identical mistake the next month.

Sources & on-chain evidence

  1. [01]medium.comhttps://medium.com/immunefi/hack-analysis-platypus-finance-february-2023-d11fce37d861
  2. [02]numencyber.comhttps://www.numencyber.com/platypus-finance-project-hit-by-8-5m-flash-loan-attack/
  3. [03]blockapex.iohttps://blockapex.io/platypus-finance-hack-analysis/

Related filings