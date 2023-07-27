According to CertikAlert, Palmswap, a decentralized exchange, fell victim to a flash loan exploit on July 24, 2023, resulting in the loss of approximately $901,000 USD, equivalent to 901,455 USDT. The attack was made possible due to a vulnerability in the PlpManager contract, which incorrectly calculated USDP amounts, creating a loophole susceptible to flash loan attacks.

The initial attempt in block 30248637 failed because the attacker ran out of gas. An externally owned address (EOA) 0xf84ef then observed the botched attack, learned how to execute it correctly, and replicated the exploit in block 30248638 while paying the right amount of gas.

The perpetrator exploited the platform by flash loaning 3,000,000 USDT. Due to the incorrect USDP calculation in the PlpManager contract, the Vault mistakenly returned more USDT to the attacker, amounting to a total of $901,445 left in the attacker's wallet.

The stolen funds are currently in EOA 0x0Fe74. Palmswap's team has reached out to the wallet holding the stolen funds to negotiate a bounty. However, the BSC scan seems to have incorrectly labeled the wallet as the Palmswap exploiter.

