The decentralized finance protocol Platypus Finance suffered a devastating flash loan attack on October 12, 2023, resulting in the loss of approximately $2.23 million across three coordinated transactions. The exploit marks the third security incident to hit the Avalanche-based automated market maker in 2023, raising serious concerns about the resilience of DeFi lending pools against sophisticated price manipulation strategies.
The Exploit Mechanics
The attack unfolded in a sequence of three flash loan transactions executed by two separate externally owned addresses (EOAs). The first attacker, operating from EOA 0x0cd4, initiated the exploit at 03:29 AM UTC by flash-loaning 1.1 million Wrapped AVAX (WAVAX) and 991,000 Staked AVAX (sAVAX) — collectively worth over $20 million at the time. The attacker deposited these funds into Platypus liquidity pools to manipulate the relative pricing between WAVAX and sAVAX, then systematically withdrew and swapped assets to extract value from the pricing discrepancies. After repaying the flash loan, the attacker retained approximately $1.2 million in profit.
A second attacker, EOA 0x4640, launched a similar attack at 06:16 AM UTC, extracting roughly $575,000. Just one minute later, the original exploiter returned for a third transaction, taking an additional $450,000. The total haul across all three transactions reached $2.23 million, comprising approximately $1.3 million in WAVAX and $913,000 in sAVAX.
Affected Systems
The exploit specifically targeted the AVAX-sAVAX liquidity pool on Platypus Finance, an automated market maker protocol built on the Avalanche blockchain. Platypus is primarily designed for stablecoin exchange and utilizes a unique single-sided liquidity mechanism. The protocol had previously secured $3.3 million in funding from a 2021 investment round led by Three Arrows Capital, which has since declared bankruptcy.
This incident is the third to strike Platypus in 2023 alone. In February, the protocol lost $8.5 million in a flash loan attack that exploited a vulnerability in its USP stablecoin solvency check mechanism. In July, approximately $157,000 was lost due to a price imbalance between USDC and USDC.e tokens. The cumulative losses from these three incidents exceed $10.8 million.
The Mitigation Strategy
Blockchain security firm PeckShield was the first to detect and alert the community about the exploit. Platypus responded swiftly by suspending all liquidity pools while initiating a formal investigation. In a stroke of luck, the platform managed to recover $575,000 after one of the attackers made an operational mistake, inadvertently sending exploitable funds to a recoverable Gnosis Safe proxy contract.
By September, the Platypus team had successfully recovered approximately 61.7 percent of the losses from the earlier February exploit. They supplemented this recovery with treasury reserves and launched a second phase of compensation on September 26. The October incident, however, presents new challenges, as the primary exploiter still holds the bulk of the stolen funds.
Lessons Learned
According to CertiK data, price manipulation attacks have become a persistent threat in the DeFi ecosystem. In 2022, there were 40 recorded price manipulation attacks with combined losses exceeding $269 million. While 2023 showed improvement — with 46 incidents totaling $20.4 million through October — individual exploits remain costly. Flash loan incidents specifically showed a downward trend, dropping from a July peak of 23 incidents to just four in October 2023, compared to 15 in October 2022.
The Platypus exploit underscores a critical lesson: protocols that handle liquidity pools with closely correlated assets must implement robust price oracle safeguards and multi-layer validation checks. The repeated nature of attacks on the same protocol suggests systemic vulnerabilities that require fundamental architectural review rather than patchwork fixes.
User Action Required
Users who had funds deposited in Platypus Finance liquidity pools should monitor official communications from the team regarding recovery plans. With Bitcoin trading at approximately $26,756 and Ethereum at $1,539 at the time of the exploit, the broader crypto market was experiencing modest downward pressure, making the timing of the recovery effort particularly sensitive. Investors should exercise heightened due diligence when allocating capital to DeFi protocols, particularly those with a history of security incidents, and consider diversifying across multiple platforms to mitigate concentration risk.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with any DeFi protocol.
third security incident for platypus in 2023 alone. at what point do you just call it
third time in 2023 and people still had funds in there. at some point you have to blame yourself
flash loaning 1.1 million WAVAX and 991k sAVAX to manipulate pricing is wild. the attack vector was known but nobody fixed it
Sven M. flash loans get the blame but the real issue was skipped safety params. curve docs documented the exact manipulation vector years before this happened
manipulating sAVAX vs WAVAX pricing through flash loans was first documented on curves docs as a known vector. platypus just ignored it
pool_watcher the curve docs literally describe this exact manipulation vector. platypus forked the AMM model and skipped the safety parameters. textbook negligence
avalanche_wolf spot on. curve docs documented this AMM manipulation vector and platypus still skipped the safety params. forking code without understanding it
avax_defender_ forking curve without the safety params is negligent. the docs literally say here is how to not get rekt and they skipped it
third exploit in a year and TVL still wasnt zero. degen yield farmers will park money anywhere with a few percent APR
Sameer D. third exploit and TVL wasnt zero is the most degen thing ive read all week. yield farmers deserve what they get at some point
two separate attackers hitting the same protocol within hours. not even coordinated, just both saw the same vulnerability. brutal
the second attacker made off with way less too. greed makes people sloppy even when stealing
the second attacker made $1M with basically the same playbook. copypasting an exploit is not exactly sophisticated
Pavel Dvorak the second attacker basically downloaded the exploit script and ran it. zero original work for a million dollars lol
two separate attackers hitting the same protocol within hours. the second guy literally copy pasted the first exploit for 1M. lowest effort attack of 2023
Khoa T. copy pasting an exploit for 1M is peak degen. second attacker probably saw the first tx on etherscan and thought why not me
fork_shame_ copy pasting an exploit is the modern equivalent of script kiddie culture. except these script kiddies are walking away with a million dollars