Platypus Needs To Find $8.5 Million For Its Customers, And Fast

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Platypus Logo
Platypus Logo

Join Our Telegram channel to stay up to date on breaking news coverage

Platypus is working on a plan to compensate the losses its users incurred following a flash loan attack that saw the decentralized finance (DeFi) protocol lose nearly $8.5 million, affecting its stablecoin dollar-peg, Platypus USD (USP). The exploiter took advantage of the company’s USP solvency check mechanism in the attack.

In a Friday Twitter post, Platypus assured users that it was looking to identify a compensation plan, asking them to avoid realizing their losses in the protocol as doing so would make it harder for the company to manage the issue. Notably, the firm has also suspended asset liquidations for the time being.

After the attack was executed, a Platypus team member commented on the matter in a post on Platypus’s Discover server, saying:

 For now, all operations are paused until we get more clarity.

The DeFi protocol has already approached the exploiter for negotiations about a bounty in exchange for the return of the funds.

Blockchain security company CertiK was the first to report the flash loan attack incident, sending a post on Twitter on February 16. The firm also revealed the contract address of the alleged attacker, showing the amount that had been moved from the protocol. 

The firm added:

The attacker used a flash loan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral. A potential suspect has been identified.

Since then, Platypus USD (USP) has de-pegged from the dollar and its value is at $0.33 at the time of writing. This represents a 67% value drop from its $1 value. As the value continues to decline, user deposits are less covered. However, funds in other pools are not unaffected.

Platypus Seeks Help In The Funds Recovery Process

Platypus also highlighted that it had employed the input of several parties in the funds’ recovery process, including officials in the legal enforcement sector. They also committed to revealing more details about the next steps. Others in the recovery process include Binance, Tether, and Circle, who were asked to freeze the hacker’s funds in a measure to prevent more losses.

The first to be frozen was USDT as discussions about compensating and reimbursing affected investors continued. Analyst ZachXBT highlighted that Tether, a crypto exchange, blacklisted the currency on the blockchain shortly after it happened.

The analyst was also able to find who committed the hack, claiming that Platypus wanted to negotiate before contacting law enforcement.

I’ve reviewed your transaction history across multiple chains, which lead me to your ENS address retlqw.eth. Your OpenSea account links directly to your Twitter, and you liked a Tweet about the Platypus exploit.

Noteworthy, a section of the funds are locked up in the Aave protocol, and while Platypus is looking for a method that would enable the funds’ recovery, they would need the approval of a recovery proposal in Aave’s governance forum.

Another party that has joined the funds’ recovery process is auditing firm Omniscia, coming in to conduct a technical post-mortem analysis. The audit revealed that the attack was executed by incorrectly placing a code. Omniscia analyzed a version of the MasterPlatypusV1 contract between November 21 and December 5, 2021. Nevertheless, the version “contained no integration points with an external PlatypusTreasure system.” Accordingly, it did not feature any misordered lines of code.

 A Twitter user Daniel Von Fange also explained how the attack took place, saying, “After requesting a large “emergency withdraw,” the code did not have the correct checks in place to prevent this from happening.”

Flash loan attacks are a common phishing technique employed by threat actors, exploiting the company’s smart contract security. Once this is done, the attacker proceeds to borrow large sums of money without any collateral or security. After manipulating a crypto asset on one exchange, they then proceed to sell it on another, thus profiting from the price manipulation.

USP Had Only Been Live for 10 Days

Notably, Platypus’ stablecoin USP was a newly launched project, having been live for only ten days. The stablecoin debuted on February 6, 2023, and the exploiter attacked on February 16, making away with almost $8.5 million.

USP had been designed to be a stablecoin and was ‘pegged’ directly to the US dollar. This means that one USD was equivalent to one Platypus USD.

Read More:

Newest Meme Coin ICO - Wall Street Pepe

Rating

Wall Street Pepe
  • Audited By Coinsult
  • Early Access Presale Round
  • Private Trading Alpha For $WEPE Army
  • Staking Pool - High Dynamic APY
Wall Street Pepe

Join Our Telegram channel to stay up to date on breaking news coverage

Read next

Please enter Coingecko & CoinMarketcap Api Key to get this plugin works