Decentralized finance (DeFi) protocol Platypus has revealed details of a recent $9.1 million exploit, along with efforts to recover the funds and a compensation plan for victims.
In a post published on Medium on February 23, the company revealed that a logical error in the USP credit-check mechanism within the collateral retention contract was responsible for the three separate attacks carried out by the same exploiter. According to Platypus, Stableswap’s operations have not been affected.
Since the attack, we’ve been working with security experts & stakeholders to recover lost funds, trace the hacker, and explore potential solutions to recover trapped funds
Here’s an update on the progress made thus far
Check our medium for more info https://t.co/VoNYl9MAtd— Platypus (++) (@Platypusdefi) February 23, 2023
Several stablecoins and other assets were stolen in the attacks. Approximately $8.5 million in assets were stolen in the first attack. In the second incident, some 380,000 assets were mistakenly submitted to the Aave v3 contract. In the third attack, approximately $287,000 in assets were stolen.
The Platypus recovery plan will return at least 63% of the main pool funds. After the attack, about 35.4% of the funds remained in the pool, and 2.4 million USD Coin (USDC) had been recovered, that is, 17.7% of the assets prior to the attack. Another 1.4 million (10.4% of pre-attack assets) in treasury will also be used to offset liquidity providers’ losses within six months if the stolen funds are not recovered. The company stated:
“We are currently in discussions with various parties to help recreate stablecoins that were caught in the attack contract. Once any stablecoins are recovered, we will distribute the reminted tokens to liquidity providers on a prorated basis.”
Platypus is also working with the Aave protocol to recover some $380,000 worth of locked assets. A proposal to recover the funds will be voted on in the Aave governance forum. “Once the proposal is approved, we will partner with the Aave team to create a recovery contract that will transfer the stolen funds from the Aave fund to the Platypus contract.” The company also noted:
” […] ” […] If our proposal submitted to Aave is approved and Tether confirms the reminting of frozen USDT, we will be able to recover approximately 78% of user funds.”
Blockchain security firm CertiK first reported the flash loan attack on the platform via a tweet on February 16. Flash loan attacks breach the security of a platform’s smart contracts to borrow large amounts of money without collateral. The attack caused stablecoin Platypus USD (USP) to unpeg from the US dollar, falling to around $0.32 at press time, according to CoinGecko.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.