Decentralized finance (DeFi) protocol Platypus has revealed details of a recent $9.1 million exploit, along with efforts to recover funds and a compensation plan for victims.
In a medium post dated February 23, the company exposed that a logic error in USP’s solvency control mechanism under the collateral holding agreement was responsible for three separate attacks carried out by the same exploiter. Stableswap operations were not affected, Platypus said.
Since the attack, we have been working with security experts and stakeholders to recover the lost funds, track down the hacker and explore potential solutions to recover the trapped funds.
Here’s an update on the progress so far
Check out our media for more informationhttps://t.co/VoNYl9MAtd— Platypus (++) (@Platypusdefi) February 23, 2023
Several stablecoins and other assets were stolen in the attacks. Approximately $8.5 million worth of property was stolen in the first attack. In the second incident, roughly 380,000 assets were accidentally sent to the Aave v3 contract. The third attack resulted in the theft of approximately $287,000 in property.
The Platypus Recovery Plan will return at least 63% of the main fund. After the attack, almost 35.4% of the funds remained in the pool and 2.4 million USD Coin (USDC) was recovered, or 17.7% of the assets before the attack. An additional 1.4 million (10.4% of pre-attack assets) in the treasury will also be used to compensate LP losses within six months if the stolen funds are not recovered. The company stated:
“We are currently in discussions with various parties to help recreate the stablecoins that were trapped in the attack contract. Once all the stablecoins are acquired, we will distribute the remined tokens to LP on a pro rata basis.”
Platypus is also working with the Aave protocol to recover around $380,000 worth of locked assets. The funding proposal will be voted on at Aave’s governance forum. “Once the proposal is approved, we will partner with the Aave team to create a renewal contract that will transfer the used funds from the Aave fund to the Platypus contract.” The company also noted:
” […] if our proposal to Aave is approved and Tether confirms the frozen USDT reminder, we will be able to recover approximately 78% of the user’s funds.”
Blockchain security firm CertiK first reported the flash loan attack on the platform via a tweet on February 16. Flash loan attacks breach the security of the platform’s smart contract for lending large amounts of money without collateral. The attack led to the Platypus USD (USP) stablecoin being delinked from the US dollar, which fell to nearly $0.32 at the time of writing, according to on CoinGecko.
