Hackers Use 'Emergency Withdraw' Flaw to Raid Platypus

ZachXBT Identifies Hacker After Attack Erases Half the Value in USP Stablecoin

By: Samuel Haig Loading...

Hackers Use 'Emergency Withdraw' Flaw to Raid Platypus

Platypus Finance, the team behind the USP stablecoin, suffered an $8.5M exploit on Thursday, sending the price of USP and its native PTP token into a sharp decline.

The incident decimated confidence in the Platypus ecosystem as its stablecoin USP sunk to $0.475 after shedding more than half of its value in a day. Platypus’ PTP token also lost a quarter of its value in 24 hours.

“This is a bad look for USP auditors, who should have caught this relatively trivial bug,” tweeted Demirelo, a web3 investor and influencer.

Emergency Withdrawal

PeckShield, a blockchain security firm, said the hacker exploited a flaw in the “emergency withdraw” function in Platypus’ contracts. PeckShield said the contract incorrectly calculated the health of the hacker’s accounts before executing a transaction that allowed the hacker to withdraw $8.5M more than the collateral they had supplied.

“Dear Community, We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism,” Platypus tweeted. It added that the hackers used a flashloan to exploit a logic error in the USP contract.

Crypto Sleuth ZachXBT Exposed Chicanery For a Grateful DeFi Community

Crypto Sleuth ZachXBT Exposed Chicanery For a Grateful DeFi Community

Deeply Researched Probes of Questionable Projects Proved 'Invaluable' in Mad Year

The Defiant The Defiant

ZachXBT, a popular twitter influencer and blockchain sleuth, said he had identified the hacker and the account was deactivated shortly after the heist. The influencer also spotlighted an ENS domain and OpenSea account associated with the perpetrating wallet.

“I’ve traced addresses back to your account from the Platypusdefi exploit,” ZachXBT said in a tweet tagging the accused hacker. “We’d like to negotiate returning of the funds before we engage with law enforcement.”


Platypus said affected users’ balances are covered for up to 35% of their value, and that the team has reached out to the hacker to negotiate a bounty in exchange for returning the funds. The team said it is working with Binance, Tether, and Circle, to freeze the stolen funds, noting that all stolen USDT is frozen.
Platypus launched USP in December, 2022, describing the token as an overcollateralized USD-pegged stablecoin. Platypus is currently the seventh-largest protocol on the Avalanche network with a total value locked of $41M, despite the figure dropping 25% in one day, according to DeFi Llama.

The protocol’s TVL is down more than 96% since peaking above $1.1B in March.