Platypus Finance (3rd exploit): Flash loan + LP-AVAX pool cash/liability manipulation → slippage-inflated swap output
Platypus Finance was drained for $2.2M in its third exploit in 8 months when attackers manipulated the cash/liability ratio in the LP-AVAX pool — a pool deployed after the only audits the protocol ever received.
Summary #
Platypus Finance (3rd exploit) suffered a DEX / Stableswap AMM on 2023-10-12, resulting in a loss of approximately $2M.
What happened #
Platypus Finance was drained for $2.2M in its third exploit in 8 months when attackers manipulated the cash/liability ratio in the LP-AVAX pool — a pool deployed after the only audits the protocol ever received.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit deployment)]
- RD-F-006 — related : Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]