Decentralized finance (DeFi) protocol Platypus Finance has lost $8.5 million after suffering a flash-loan attack. However, with the help of some on-chain spies, the project managed to track down the hacker and even recover some of the funds.
On Thursday, an exploiter took advantage of a flaw in the Platypus USD (USP), the protocol’s stablecoin, to steal user funds via a quick loan attack. “They used a flashloan to exploit a logic error in the USP solvency check mechanism in the collateral-holding contract,” the project confirmed in a Twitter post.
The project detailed that approximately $8.5 million worth of funds had been stolen from the main pool. As a result, the Platypus USD stablecoin was de-pegged to the US dollar, falling to an all-time low of $0.33, down more than 66% from its intended $1 peg.
Platypus said deposits were covered at 85% and other pools were unaffected. The company said it has contacted the hacker to negotiate a refund and has also begun working with major crypto companies to freeze the funds.
Shortly after, crypto on-chain sleuth ZachXBT revealed that a now-deleted Twitter account run by @retlqw was responsible for hacking, alleging that addresses identified by Platypus were linked to the account. Are.
“I traced the address back to your account from the Platypus exploit and I have been in contact with their team and the exchange,” ZachXBT said in a tweet aimed at user @retlqw. “We want to negotiate a refund before engaging with law enforcement.”
ZachXBT said he was able to trace the hacker by reviewing their transaction history across multiple chains, which led me to their ENS address, retlqw.eth. “Your OpenSea account connects directly to your Twitter and you liked a tweet about the Platypus exploit,” said the crypto researcher.
Meanwhile, Platypus updated its pool contract to recoup $2.4 million in USDC from the hacker with the help of blockchain security firm BlockSec.
“They updated it in such a way that when the exploit contract deposits USDC (which it is tricked into believing) as collateral for mining USP, they can spoof the code to say it is 0. USDC is due back,” Twitter user Restless Said.
The user said that Platypus sent USDC from fictitious pools to hardcoded addresses to avoid normalized front runners. “Other assets may be more difficult to recover, but given that they control the pool code, they have significant control,” he added.
The Platypus hack comes as crypto is rife with exploits and manipulations. As mentioned, the industry about $4 billion in damage The value of digital assets to hacks, frauds, scams and rug pulling in the last year.
Among various forms of illegal activities, hackers accounted for the bulk majority of crypto losses in 2022. More specifically, hackers stole over $3.7 billion, or over 95% of all crypto lost in the year. Fraud, scams and rug-pulling accounted for only 4.4% of the total losses.
Bitcoin Crypto Related Post