Platypus to work on compensation plan after $8.5M attack

Published at: Feb. 18, 2023

Decentralized finance (DeFi) firm Platypus is working on a compensation plan for user's losses after a flash loan attack drained nearly $8.5 million from the protocol, affecting its stablecoin dollar-peg. 

In a Tweet on Feb. 18, Platypus disclosed to be working on a plan to compensate the damages and asked users not to realize their losses in the protocol, saying this would make it harder for the company to manage the issue. Assets liquidation are also paused, said the protocol:

2/ We are working on a plan to compensate the losses, please DO NOT repay your USP and realize the losses. It would be easier for us to manage the damage. Also, you don’t have to worry about liquidation as liquidation is paused, stability fee after the attack will not be counted

— Platypus (++) (@Platypusdefi) February 18, 2023

According to the firm, different parties are currently involved in the funds' recovery process, including legal enforcement officials. Further details about the next steps will be disclosed soon, noted Platypus. 

Part of the funds are locked up in the Aave protocol. Platypus is exploring a method to potentially recover the funds, which would require the approval of a recovery proposal Aave’s governance forum.

Blockchain security firm CertiK first reported the flash loan attack on the platform through a tweet on Feb.16, along with the alleged attacker's contract address. Nearly $8.5 million was moved from the protocol, and as a result, the Platypus USD stablecoin became de-pegged from the U.S. dollar, dropping to $0.33 at the time of writing.

"The attacker used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral,” said the company. A potential suspect has been identified. 

A technical post-mortem analysis conducted by auditing company Omniscia revealed the attack was made possible by incorrectly placed code after it was audited. Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. The version, however, “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.

The flash loan attack exploits the smart contract security of a platform to borrow large amounts of money without collateral. Once a cryptocurrency asset has been manipulated on one exchange, it is quickly sold on another, allowing the exploiter to profit from the price manipulation.

Tags
Related Posts
DeFi platform Vee Finance exploited for $35M on Avalanche blockchain
Decentralized finance (DeFi) platform Vee Finance reported $35 million in losses in an exploit, just a few days after launching its mainnet on the Avalanche network. After pausing services due to suspicious activity on Monday, Vee Finance confirmed that its platform was under attack resulting in a loss of 8,804 Ether (ETH) and around 214 Bitcoin (BTC). The total amount is worth more than $35 million at the time of writing. According to the official incident announcement, the suspected attacker has collected stolen assets on one address after exploiting the Vee Finance trade contract address. In order to prevent further …
Blockchain / Sept. 21, 2021
Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct
In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto. Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.” The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter. Blockchain …
Defi / April 22, 2022
Moola Market attacker returns most of $9M looted for $500K bounty
An attacker has returned just over 93% of the more than $9 million worth of cryptocurrencies they exploited from the Celo (CELO) blockchain-based decentralized finance (DeFi) lending protocol Moola Market. At around 6PM UTC on Oct. 18 the Moola Market team tweeted it was investigating an incident and had paused all activity, adding it had contacted authorities and offered a bug bounty to the exploiter if funds were returned within 24 hours. Analysis of the exploit by Web3 security company Hacken shows the attacker manipulated the price of the protocols’ low-liquidity native MOO token by initially purchasing around $45,000 worth …
Defi / Oct. 19, 2022
After Mango Market exploit, Compound pauses four tokens to protect against price manipulation
Decentralized lending protocol Compound has paused the supply of four tokens as lending collateral on its platform, aiming to protect users against potential attacks involving price manipulation, similar to the recent $117 million exploit from Mango Market's, according to a proposal on Compound's governance forum. With the pause, users will not be able to deposit yearn finance (YFI), 0x (ZRX), basic attention token (BAT) and maker (MKR) tokens as collateral to take loans. The proposal passed on Oct. 25 with 99% of all voters in favor. It stated: "An oracle manipulation-based attack analogous to the one that cost Mango Markets …
Altcoin / Oct. 25, 2022
Crypto exploit losses in January see nearly 93% year-on-year decline
Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a decline in losses from exploits compared to the same time last year. According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January. There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB). The January figures are 92.7% lower than the $121.4 …
Defi / Feb. 1, 2023