Exploit: Platypus to return 63% of users’ lost funds
- Following a $9 million hack, DeFi Protocol Platypus will refund at least 63% of user funds.
- According to the post, the exploit involved three sequential attacks.
- The first and most serious one drained the protocol’s primary pool of $8.5 million worth of stablecoins
In a blog entry published on Thursday, Platypus Finance, a decentralized-finance (DeFi) protocol for stablecoins, announced that after recovering some of the $9 million that had been syphoned off the protocol the previous week, it would return at least 63% of funds to users.
According to the statement, the team has been sincerely working with security specialists and other stakeholders since the incident to examine the attacks and devise a strategy to recuperate the lost funds.
The company disclosed that the three distinct attacks were perpetrated by the same exploiter due to a logical error in the USP solvency check mechanism within the collateral-holding contract. According to Platypus, there has been no impact on the stableswap activities.
The Platypus DeFi protocol, which is built on AVAX, was compromised last week in a flash loan attack, costing almost $8.5 million.
According to the protocol, hackers took advantage of a weakness in the USP solvency check mechanism in the contract, including the collateral, to take advantage of a flash loan.
Before the attack, the Main Pool housed assets worth $13.4 million, including 3.9 million USDC, 2.6 million USDT, 3.1 million USDC.e, 2.1 million USDT.e, 773 thousand DAI.e, and 911 thousand BUSD. Remember that the treasury the protocol retained in the pool to ensure pool solvency was not included.
In the assaults, a number of stablecoins and other assets were taken. The first assault resulted in the theft of assets worth about $8.5 million. Aave v3 contract by accident, received about 380,000 assets in the second occurrence. The third assault led to the theft of assets worth about $287,000 in total.
At least 63% of the money from the main pool will be returned as part of Platypus’ recovery strategy. Nearly 35.4% of the funds were still in the pool after the assault, and 2.4 million USD Coin, or 17.7% of the assets before the attack, had been recovered. If the money taken is not found within six months, another 1.4 million (10.4% of pre-attack assets) from the Treasury will also be used to make up for LP’s losses.
If any stablecoin is recovered, we will pro-rata disperse the tokens to LPs. The 1.4 million treasury was put aside by the protocol for six months. The 1.4 million will be given to the Partners who will be impacted if things don’t get better as expected.
February saw another flashloan attack; dForce lost about $1.7 million in a succession of flash lending transactions on the Optimism network.