Platypus Finance: Third Time (Un)lucky

Platypus Finance: Third Time (Un)lucky


2 min read

Platypus Finance, a DeFi protocol operating on the Avalanche network, recently fell victim to another security exploit, marking its third significant breach within a year. This incident has not only resulted in a substantial financial loss but also raised poignant questions about the security strategy implemented by the protocol, if any.

Behind the Breach

The recent hack on Platypus Finance led to an estimated loss of over $2 million. The exploit appears to have been a flash loan attack, specifically targeting the AVAX-sAVAX liquidity pool. Flash loan attacks have become notably prevalent in the crypto space, leveraging the ability to borrow assets without collateral to manipulate market conditions and exploit vulnerabilities within DeFi protocols.

In this incident, attackers discovered a vulnerability that allowed them to withdraw Wrapped Avax (WAVAX) and Staked Avax (SAVAX), with one of the hacker’s wallets accumulating over $1.6 million worth of WAVAX and SAVAX.

A String of Attacks

This isn’t the first time Platypus Finance has found itself in the crosshairs of malicious actors. In February 2023, the protocol suffered a substantial blow with hackers draining over $8.5 million through a flash loan attack during the launch of a new stablecoin, USP. A few months later, in July 2023, the protocol once again paused their pools after identifying “suspicious activities”, which later were found to involve multiple suspicious flash loans.

Community and Market Impact

The recent exploit has significantly impacted the Platypus Finance community and its market standing. Amid the news, the value of Platypus Finance’s token plummeted by 7.5% to $0.012, according to CoinMarketCap, reflecting the immediate financial repercussions of the breach.

In a bid to control the situation and prevent further exploitation, Platypus Finance temporarily suspended all pools due to “suspicious activities in our protocol” and assured its user base that updates would be provided as soon as possible. The protocol has been actively communicating with its community via Twitter, acknowledging the incident and thanking them for their patience and support during this tumultuous period.

Lessons from the Incident

Three hacks in less than a year show that Platypus Finance's security practices are highly inadequate, especially for a DeFi platform. Apart from hurting its users financially it also undermines the whole ecosystem's trustworthiness, which, unfortunately, is bad news for all of us.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit to find out more.

You build the future. We help you secure it.