ARC rationale

On February 16, 2023 at approximately 7 PM UTC, Platypus Finance, a stableswap protocol on Avalanche, was exploited through a flaw in its USP stablecoin solvency check mechanism and resulted in 9 million in stablecoins stolen from the users and pool depositors of the protocol in a series of three attacks.

In one of the three attacks, the attacker mistakenly implemented a logic in the exploit contract such that around $381k worth of stablecoins were directly transferred to Aave V3’s Pool contract deployed on Avalanche.

Currently, the Pool contract has implemented a rescueTokens() function, which will allow the function caller, who must be granted the Pool_Admin role in Aave V3’s access control system, to transfer any stuck ERC-20 tokens to designated addresses, including the stablecoins transferred to the Pool contract by the attacker.

This ARC is inspired by the previous discussions between Aave contributors, the Platypus team & its community, and various blockchain security organizations and individuals on the possible recovery of the funds sent to the Pool contract.

This ARC’s objective is to gather community sentiment and consensus to form and publish a formal AIP proposal vote for a community vote to approve the recovery actions on the stolen user assets stuck in the Pool contract.

To be discussed and decided:

• The technical implementation of the recovery actions: Platypus team and the Aave core contributors will work on a recovery contract to call the rescueTokens() function of the Pool contract and transfer the exploited funds stuck in the Pool contract to Platypus team’s multi-sig, subject to governance voting which will grant the recovery contract the Pool_Admin role access. The contract will follow Aave’s StewardBase pattern, which specifies the logic for handling Aave’s Pool access control logic and automatically renounce the admin roles once the recovery actions are fully executed.

ARC content in short

• Platypus/ Aave team to deploy a recovery contract with the sole goal to recover exploited assets stuck in Aave V3’s Pool contract.
• Aave community to vote on granting the recovery contract’s Pool_Admin permission to execute the recovery logic.
• Guardians to execute the permission grant should the voting is passed.
• Platypus/ Aave team to execute the recovery contract.

Additional Information

To provide full transparency to the Aave community, we have also wrote a full analysis of the exploit where funds were drained to Aave’s Pool contract, along with all different amounts, addresses involved, and public analysis links included. We have also reached independent security firm BlockSec, to confirm the facts and legitimacy of our claim.

We have uploaded the relevant documents and have linked them below, where the first document is the analysis and our claim; and the second document is a verification statement signed by BlockSec:

• Information on the Platypus Finance exploit for the Aave Community: Arweave | Google Drive
• Verification Statement for Platypus Finance-signed: Arweave | Google Drive

Should Aave community have any additional questions regarding the Platypus Finance exploit and our recovery proposal, we are more than happy to answer and provide more information through the discussion post on the governance forum linked below.

Relevant Links

• Attacker’s transfer transaction of the exploited tokens to Pool contract address: SnowTrace
• Aave V3’s Pool address on Avalanche: SnowTrace
• Platypus Finance’s announcement of the exploit: https://twitter.com/Platypusdefi/status/1626396538611310592