Platypus has become the latest decentralised finance (DeFi) protocol to suffer an attack. Indeed, it has been the victim of an $8.5 million hack following a manipulation via a flash loan method. Fortunately, a significant part of the funds has already been recovered thanks to the cooperative efforts of various actors.
Platypus has $8.5m stolen
The decentralised finance protocol (DeFi) Platypus, hosted on Avalanche (AVAX), suffered a hack worth $8.5 million on 16 February. The information was first reported by blockchain security firm CertiK, before being confirmed today by Platypus on Twitter.
We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism. They used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral.
– Platypus (++) (@Platypusdefi) February 17, 2023
According to Platypus, the hack only affects the main cash pool containing USP (the protocol’s stablecoin), and the other pools would be safe. However, at the moment, customer funds in the affected pool are presumably only covered to the extent of 35%.
As a result, the USP has lost its peg to the US dollar for some time, thereby losing 50% of its reference price.
The attacker used a flash loan method to achieve his goal, a form of instant loan to find arbitrage opportunities, unfortunately often used to attack protocols. This is the process that was used in the attack on the Nereus Finance protocol last September.
In this case, the hacker’s funds have been traced, and some have already been blacklisted by Tether. Platypus has announced that it has also contacted Circle and Binance to try to freeze some of the remaining funds.
Hacker’s identity revealed
Investigator ZachXBT, known for his on-chain investigations, has revealed the alleged identity of the hacker after studying various clues pointing to the same individual. The person identified in the tweet has since deleted his Twitter account as well as his Instagram account.
In addition, negotiations have been initiated between Platypus and the hacker so that the latter can eventually return the funds and keep a portion of them. According to ZachXBT, a refusal on the part of the hacker could result in a legal investigation against him.
Hi @retlqw since you deactivated your account after I messaged you.
I’ve traced addresses back to your account from the @Platypusdefi exploit and I am in touch with their team and exchanges.
We’d like to negotiate returning of the funds before we engage with law enforcement. pic.twitter.com/oJdAc9IIkD
– ZachXBT (@zachxbt) February 17, 2023
I have traced your account addresses from the Platypus exploit and am in contact with their team and some exchanges. […] I have examined your transaction history on several blockchains, which led me to your ENS address retlqw.eth. Your OpenSea account is directly linked to your Twitter and you liked a Tweet about the Platypus exploit. “
According to the latest tweet from Platypus, the protocol has managed to recover 2.4 million USDC thanks to the cooperation of blockchain auditing firm BlockSec, just over a quarter of the total.