Platypus Needs To Find $8.5 Million For Its Customers, And Fast

Join Our Telegram channel to stay up to date on breaking news coverage

Platypus is working on a plan to compensate the losses its users incurred following a flash loan attack that saw the decentralized finance (DeFi) protocol lose nearly $8.5 million, affecting its stablecoin dollar-peg, Platypus USD (USP). The exploiter took advantage of the company’s USP solvency check mechanism in the attack.

In a Friday Twitter post, Platypus assured users that it was looking to identify a compensation plan, asking them to avoid realizing their losses in the protocol as doing so would make it harder for the company to manage the issue. Notably, the firm has also suspended asset liquidations for the time being.

2/ We are working on a plan to compensate the losses, please DO NOT repay your USP and realize the losses. It would be easier for us to manage the damage. Also, you don’t have to worry about liquidation as liquidation is paused, stability fee after the attack will not be counted

— Platypus 🔺 (🦆+🦦+🦫) (@Platypusdefi) February 18, 2023

After the attack was executed, a Platypus team member commented on the matter in a post on Platypus’s Discover server, saying:

For now, all operations are paused until we get more clarity.

The DeFi protocol has already approached the exploiter for negotiations about a bounty in exchange for the return of the funds.

Blockchain security company CertiK was the first to report the flash loan attack incident, sending a post on Twitter on February 16. The firm also revealed the contract address of the alleged attacker, showing the amount that had been moved from the protocol.

#CertiKSkynetAlert 🚨

We are seeing a #flashloan attack on @Platypusdefi resulting in a potential loss of ~$8.5M.

Tx AVAX: 0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430

Stay Frosty! pic.twitter.com/AM2HOM5M2r

— CertiK Alert (@CertiKAlert) February 16, 2023

The firm added:

The attacker used a flash loan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral. A potential suspect has been identified.

Since then, Platypus USD (USP) has de-pegged from the dollar and its value is at $0.33 at the time of writing. This represents a 67% value drop from its $1 value. As the value continues to decline, user deposits are less covered. However, funds in other pools are not unaffected.

Platypus Seeks Help In The Funds Recovery Process

Platypus also highlighted that it had employed the input of several parties in the funds’ recovery process, including officials in the legal enforcement sector. They also committed to revealing more details about the next steps. Others in the recovery process include Binance, Tether, and Circle, who were asked to freeze the hacker’s funds in a measure to prevent more losses.

The first to be frozen was USDT as discussions about compensating and reimbursing affected investors continued. Analyst ZachXBT highlighted that Tether, a crypto exchange, blacklisted the currency on the blockchain shortly after it happened.

Hi @retlqw since you deactivated your account after I messaged you.

I've traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.

We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD

— ZachXBT (@zachxbt) February 17, 2023

The analyst was also able to find who committed the hack, claiming that Platypus wanted to negotiate before contacting law enforcement.

I’ve reviewed your transaction history across multiple chains, which lead me to your ENS address retlqw.eth. Your OpenSea account links directly to your Twitter, and you liked a Tweet about the Platypus exploit.

Noteworthy, a section of the funds are locked up in the Aave protocol, and while Platypus is looking for a method that would enable the funds’ recovery, they would need the approval of a recovery proposal in Aave’s governance forum.

Another party that has joined the funds’ recovery process is auditing firm Omniscia, coming in to conduct a technical post-mortem analysis. The audit revealed that the attack was executed by incorrectly placing a code. Omniscia analyzed a version of the MasterPlatypusV1 contract between November 21 and December 5, 2021. Nevertheless, the version “contained no integration points with an external PlatypusTreasure system.” Accordingly, it did not feature any misordered lines of code.

A Twitter user Daniel Von Fange also explained how the attack took place, saying, “After requesting a large “emergency withdraw,” the code did not have the correct checks in place to prevent this from happening.”

In the two hour old Platypus hack, it looks the attacker deposited 44 million, borrowed 42 million, and then used the emergencyWithdraw(), which happily gave the attacker the full original deposited funds back – no deductions for the borrow. pic.twitter.com/QncRrRYg8j

— Daniel Von Fange (@danielvf) February 16, 2023

Flash loan attacks are a common phishing technique employed by threat actors, exploiting the company’s smart contract security. Once this is done, the attacker proceeds to borrow large sums of money without any collateral or security. After manipulating a crypto asset on one exchange, they then proceed to sell it on another, thus profiting from the price manipulation.

USP Had Only Been Live for 10 Days

Notably, Platypus’ stablecoin USP was a newly launched project, having been live for only ten days. The stablecoin debuted on February 6, 2023, and the exploiter attacked on February 16, making away with almost $8.5 million.

USP had been designed to be a stablecoin and was ‘pegged’ directly to the US dollar. This means that one USD was equivalent to one Platypus USD.