News
Feb 18, 2023
Decentralized finance (DeFi) protocol Platypus Finance recently fell victim to a flash-loan attack, leading to the loss of $8.5 million. Despite the huge loss, the project was able to track down the hacker, recover some funds, and even negotiate for more.
The attack occurred when an exploiter took advantage of a flaw in the Platypus USD (USP) stablecoin. The project later confirmed on Twitter that the hacker "used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral."
Nearly $8.5 million worth of funds were stolen from the main pool, causing the Platypus USD stablecoin to lose its intended $1 peg and fall to an all-time low of $0.33. However, deposits were covered at 85%, and other pools were not affected. The company has reached out to the hacker for a return of the funds, and is working with major crypto firms to freeze the stolen assets.
Platypus's efforts to recover its losses were assisted by on-chain sleuths, such as ZachXBT, who managed to trace the hacker by reviewing their transaction history across multiple chains. The hacker was traced to a now-deleted Twitter account named @retlqw, and the addresses identified by Platypus were allegedly linked to the account.
Meanwhile, blockchain security firm BlockSec helped Platypus update its pool contract to counter-exploit $2.4 million in USDC from the hacker. According to a Twitter user called nervoir, the company "updated it such that when the exploit contract deposited the USDC (which it is tricked to believe is a flash loan) as collateral for the minting of USP, they could trick the code that it owed 0 USDC back."
Despite the successful efforts of Platypus and the on-chain sleuths, this hack is just one of the many exploits, scams, and rug pulls that the crypto industry continues to face. In 2022, the industry lost roughly $4 billion worth of digital assets, with hacks accounting for the majority of losses. More specifically, hackers stole over $3.7 billion, or more than 95% of all crypto lost in the year. Frauds, scams, and rug pulls comprised only 4.4% of the total losses.