The Plutarch eDSL tries to control how plutus core is generated to create a smaller and thus a more efficient validator script (their GitHub).
I am not an in depth user of this tool. Does its approach reduce the expressiveness of the validator script? Moreover, does it reduce the intention of the script and thus lead to a loss of security?
This question is especially relevant due to recent MinSwap exploit (they use Plutarch).
I'm approaching the tool so I would not consider myself a Plutarch expert
however to my understanding, Plutarch is designed to be compatible with the entire PlutusTx API
since the real code of smart contracts (that goes on-chain) is Untyped Plutus Core (UPLC) and both PlutusTx and Plutarch do fully cover UPLC Abstract Syntax Tree Plutarch should be equivalent in terms of expressiveness to PlutusTx.
regarding security what Plutarch does more than PlutusTx is just being strictly-evaluated so the underlying logic should not be different, only the way to get to the final result changes
MinSwap did used both PlutusTx and Plutarch for the smart contracts, and the incriminated code (validateMintNFT) was written using PlutusTx
in particular the function isUnity was allowing to duplicate (not so much) Non Fungible Tokens
tweag (the company that audited the smart-contracts prior releasing them) has an entire dedicated article
