On February 16, 2023 at approximately 7 PM UTC, Platypus Finance, a stableswap protocol on Avalanche, was exploited through a flaw in its USP stablecoin solvency check mechanism and resulted in 9 million in stablecoins stolen from the users and pool depositors of the protocol in a series of three attacks.
In one of the three attacks, the attacker mistakenly implemented a logic in the exploit contract such that around $381k worth of stablecoins were directly transferred to Aave V3’s Pool contract deployed on Avalanche.
Currently, the Pool contract has implemented a
rescueTokens() function, which will allow the function caller, who must be granted the
Pool_Admin role in Aave V3’s access control system, to transfer any stuck ERC-20 tokens to designated addresses, including the stablecoins transferred to the Pool contract by the attacker.
This ARC is inspired by the previous discussions between Aave contributors, the Platypus team & its community, and various blockchain security organizations and individuals on the possible recovery of the funds sent to the Pool contract.
This ARC’s objective is to gather community sentiment and consensus to form and publish a formal AIP proposal vote for a community vote to approve the recovery actions on the stolen user assets stuck in the Pool contract.
To be discussed and decided:
- The technical implementation of the recovery actions: Platypus team and the Aave core contributors will work on a recovery contract to call the
rescueTokens() function of the Pool contract and transfer the exploited funds stuck in the Pool contract to Platypus team’s multi-sig, subject to governance voting which will grant the recovery contract the
Pool_Admin role access. The contract will follow Aave’s
StewardBase pattern, which specifies the logic for handling Aave’s Pool access control logic and automatically renounce the admin roles once the recovery actions are fully executed.
ARC content in short
- Platypus/ Aave team to deploy a recovery contract with the sole goal to recover exploited assets stuck in Aave V3’s Pool contract.
- Aave community to vote on granting the recovery contract’s
Pool_Admin permission to execute the recovery logic.
- Guardians to execute the permission grant should the voting is passed.
- Platypus/ Aave team to execute the recovery contract.
Returning these assets to their rightful owner is the right thing to do.
The Aave-Chan Initiative is happy to assist actively with this rescue mission and at a minimum will vote accordingly.
We can confirm that Aave v3 was designed with this potential problem in mind, making it straightforward to recover assets from specific key contracts, such as the aforementioned
As correctly described by the OP, a steward pattern can be used, encoding the exact amounts to rescue, and to which the Aave Guardian in Avalanche will need to grant
POOL_ADMIN permissions for only that action.
In order to follow good practices, and even if from a high-level perspective the case seems clear, for full transparency with the community, we would like to request the following from the Platypus team:
- Proof with all different amounts, addresses involved, and public analysis (e.g. security teams who analyzed the exploit) that the amounts belong to the Platypus protocol/users.
- Having a representative of an independent security team confirming the facts and legitimacy of the claim.
- Creation of a Snapshot vote (somebody from the Aave community can help too) for the Aave community to authorize the Aave Guardian for the rescue.
From our analysis, we find fully legitimate the claim, but also believe that full transparency is a must in this kind of situations.
i guess this does not create any negative impact on AAVE pools and the soundness of the platform overall… and good deeds are always rewarded by the universe, let’s help them out
Thank you Aave community for the support!
We fully agree with BGD Labs’ thoughts on providing full transparency on the exploit to the Aave community before any recovery actions to be taken.
In light of the request, we have wrote a full analysis of the exploit where funds were drained to Aave’s Pool contract, along with all different amounts, addresses involved, and public analysis links included. We have also reached independent security firm BlockSec, to confirm the facts and legitimacy of our claim.
We have uploaded the relevant documents and have linked them below, where the first document is the analysis and our claim; and the second document is a verification statement signed by BlockSec:
Should Aave community have any additional questions regarding the Platypus Finance exploit and our recovery proposal, we are more than happy to answer and provide more information.
Thanks for the detailed report and transparency @Anatinus_Platypus .
From our perspective and given the proofs provided, it looks perfectly legitimate to proceed to a Snapshot stage for the community to approve a rescue from the Aave v3 Avalanche
If/when approved, we are happy to support the Platypus team with the technical aspects of the operation.
Given the overall positive feedback and the fact that all outstanding questions regarding the recovery action have been addressed, we have proceeded the ARC for Snapshot voting. The voting page can be accessed here: Snapshot
The Platypus Finance team is more than happy to continue answering questions and providing more information related to the ARC in this post.
We would also like to express our appreciation for the support shown by the Aave community and contributors on the recovery action.
We would like to express our deepest gratitude for the overwhelming community support on our ARC recovery proposal on Snapshot.
Based on the results, we will continue our work to prepare an official AIP and the necessary technical payloads with the help of Aave’s core contributors.
We would also like to specially thank BGD Labs and the Aave-Chan Initative for all the guidance and help to us on this recovery process.