Explanation of Exploit:

How it happened?

• On 11th of July, Peckshield tweeted for Platypus to check out a suspicious transaction on snowtrace
• Based on the tweet, we were able to trace the exploiter’s address to 0xc64afc460290ed3df848f378621b96cb7179521a
  • https://twitter.com/peckshield/status/1678800450303164431?s=20

What was going on?

• It seemed like the user was able to withdraw more than what he/she deposited by using aave’s flashloan feature through a contract they created.
• Looking at onchain transactions, we can see that these suspicious transactions started around UTC 16:00 and platypus paused the contracts by UTC 16:54.
• To identify other users performing a similar flashloan using USDC on aave, I was able to identify another address who was also using the same exploit as these 2 wallets were using flashloans at a significantly higher rate that other wallets in 1 hour (2-3 tx vs 100+ tx).
• Exploiter Addresses: 0x853d52d21c0b1f6da97bdc7fad0e677c210cb166 and 0xc64afc460290ed3df848f378621b96cb7179521a
  Note that: reading contracts aren't really my area of expertises so these are all inferences

Mitigation Actions:

• Platypus Team was able to pause the contract which limited the losses to just 4% of the main pool -> $145k in total
• As of now, the team was able to upgrade all relevant proxies to address the bug which led to the exploit and resumed the pool contracts.