Main navigation

Two Avalanche (AVAX) DeFis Hacked in One Day

Fri, 02/17/2023 - 15:14
article image
Vladislav Sopov
Dexible and Platypus DeFis drained by attackers; will hackers return funds to affected teams?
Two Avalanche (AVAX) DeFis Hacked in One Day
Cover image via
Read U.TODAY on
Google News

Today, Feb. 17, 2023, two decentralized finance (DeFi) protocols on Avalanche (AVAX) blockchain were attacked by malefactors. It looks like on-chain researchers managed to find at least one hacker.

One day, two attacks

At around 11:05 a.m. UTC, cryptocurrency security firm PeckShield posted an alert about a possible DeFi hack. Dexible, a multi-blockchain algorithmic trading DeFi protocol that has versions on Ethereum (ETH), Avalanche (AVAX), Poly Network (POLY), BNB Chain (BSC) and so on, lost over $1.5 million due to vulnerability in its codebase.

The vulnerability was found in a swap router contract. The attacker immediately started laundering funds through Tornado Cash (TORN) mixer. Per the first post-mortem released a few minutes ago, the actual size of losses is yet to be calculated:

This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.

Right now, the team is working on a recovery plan. All contracts are paused. Yesterday, the team invited all users to migrate to a new version of smart contract.

Also, Platypus, an Avalanche-based decentralized stablecoin protocol, suffered from an $8.5 million attack. Malefactors managed to organize a flash loan attack; the USP stablecoin of the project dropped below $0.5.  In a collaboration with Tether Limited, the team managed to freeze the funds on the attacker's USDT account.

ZachXBT comes to the rescue: Platypus attacker might be found

Right now, the team is in talks with Binance and Circle to lock the rest of the attackers' loot.

Seasoned cryptocurrency researcher ZachXBT assists the team of DeFi in recovering the funds. He claimed that he discovered the Twitter account of the attacker. The attacker might be using domain retlqw.eth ENS.

Following this statement, retlqw.eth deactivated both its Twitter and Instagram accounts. However, ZachXBT managed to offer him a bug bounty on behalf of the Platypus team.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)