Decentralized finance (DeFi) protocol Platypus has disclosed the details of a recent $9.1 million exploit, alongside its efforts to recover the funds and a compensation plan for victims.
In a Medium post on Feb. 23, the company revealed that a logic error in the USP solvency check mechanism within the collateral-holding contract was responsible for the three separate attacks carried out by the same exploiter. The stableswap operations have not been affected, said Platypus.
Since the attack, we've been working with security experts & stakeholders to recover lost funds, trace the hacker, and explore potential solutions to retrieve trapped funds.— Platypus (++) (@Platypusdefi) February 23, 2023
Here's an update on the progress made thus far
Check our medium for more infohttps://t.co/VoNYl9MAtd
Several stablecoins and other assets were stolen in the attacks. Approximately $8.5 million in assets were stolen in the first attack. In the second incident, roughly 380,000 assets were mistakenly sent to the Aave v3 contract. The third attack resulted in the theft of approximately $287,000 in assets.
Platypus’ recovery plan will see the return of at least 63% of the main pool funds. Following the attack, nearly 35.4% of the funds remained in the pool, and 2.4 million USD Coin (USDC), or 17.7% of pre-attack assets, had been recovered. Another 1.4 million (10.4% of pre-attack assets) in the treasury will also be used to compensate LP’s losses within six months if the stolen funds are not recovered. The company stated:
“We are currently discussing with various parties to help recreate stablecoins that were trapped in the attack contract. Once any stablecoins are retrieved, we will distribute the reminted tokens to LPs on a pro-rata basis.”
Platypus is also working with the Aave protocol to recover locked assets worth around $380,000. A proposal seeking to retrieve the funds will be voted on on Aave's governance forum. “Once the proposal is approved, we will partner with the Aave team to create a recovery contract that will transfer the exploited funds from the Aave pool to Platypus’ contract.” The company also noted:
“If our proposal submitted to Aave is approved and Tether confirms reminting the frozen USDT, we will be able to recover approximately 78% of user’s funds.”
Blockchain security firm CertiK first reported the flash loan attack on the platform through a tweet on Feb.16. Flash loan attacks violate the smart contract security of a platform to borrow large amounts of money without collateral. The attack resulted in the depegged of the Platypus USD (USP) stablecoin from the U.S. dollar, dropping to nearly $0.32 at the time of writing, according to CoinGecko.