March 31, 2023


Your trusted source for crypto news and insights

After $8.5M attack, Platypus to devise a compensation plan

2 min read

Platypus, a decentralized finance (DeFi) firm, is currently engaged in the process of recovering the funds lost in a flash loan attack that drained approximately $8.5 million from the protocol, impacting its stablecoin dollar-peg. The recovery process involves various parties, including legal enforcement officials.

In an announcement via Twitter on February 18th, Platypus revealed that they are developing a compensation plan to address the losses incurred by users. They also requested users to refrain from realizing their losses in the protocol, as doing so would make it more challenging for the company to manage the situation. Furthermore, the protocol has suspended the liquidation of assets.

Platypus has reported that various parties, including legal enforcement officials, are currently involved in the process of recovering the funds that were lost in the flash loan attack on their platform, and that they will soon release further details about the next steps.

A portion of the funds is currently locked up in the Aave protocol, and Platypus is exploring a potential method to retrieve these funds, which would require the approval of a recovery proposal on Aave’s governance forum.

The flash loan attack was first reported by blockchain security firm CertiK, who also disclosed the contract address of the alleged attacker via Twitter on February 16th. The attack resulted in the movement of nearly $8.5 million from the protocol, causing the Platypus USD stablecoin to become de-pegged from the U.S. dollar and drop to $0.33 at the time of writing.

Platypus USD Price Chart (USP) – 7 days. Source: CoinGecko

According to the company, the attacker exploited a logic error in the USP solvency check mechanism in the contract holding the collateral using a flashloan. The company has identified a potential suspect.

An auditing company, Omniscia, conducted a technical post-mortem analysis and found that the attack was made possible by incorrectly placed code after it was audited. Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021, which did not contain any integration points with an external platypusTreasure system and therefore did not have the misordered lines of code.

Flash loan attacks exploit the smart contract security of a platform to borrow large amounts of money without collateral. The attacker then manipulates a cryptocurrency asset on one exchange and quickly sells it on another, profiting from the price manipulation.