Platypus DeFi Platform Hit by $8.5M Flash Loan Attack with Unexpected Twist – Here's What Happened

Source: AdobeStack / Sashkin

Decentralized finance (DeFi) protocol Platypus Finance has lost $8.5 million after suffering a flash-loan attack. However, with the help of some on-chain sleuths, the project managed to track down the hacker and even recover some funds. 

On Thursday, an exploiter took advantage of a flaw in the Platypus USD (USP), the protocol’s stablecoin, via a flash loan attack to steal user funds. "They used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral," the project confirmed in a Twitter post.

The project detailed that nearly $8.5 million worth of funds were stolen from the main pool. As a result, the Platypus USD stablecoin became de-pegged from the U.S. dollar, dropping to an all-time low of $0.33, down more than 66% compared to its intended $1 peg. 

Platypus added that deposits were covered at 85% and that other pools were unaffected. The company said it has contacted the hacker to negotiate a bounty for the return of the funds and also started working with major crypto companies to freeze funds. 

Shortly after, crypto on-chain sleuth ZachXBT revealed that a now-deleted Twitter account going by @retlqw was responsible for the hack, alleging that the addresses identified by Platypus are linked to the account.

"I've traced addresses back to your account from the Platypus exploit and I am in touch with their team and exchanges," ZachXBT said in a tweet aimed at user @retlqw. "We’d like to negotiate returning of the funds before we engage with law enforcement."

ZachXBT said that he managed to trace the hacker by reviewing their transaction history across multiple chains, which led me to their ENS address retlqw.eth. "Your OpenSea account links directly to your Twitter and you liked a Tweet about the Platypus exploit," the crypto researcher said. 

Meanwhile, Platypus, with the help of blockchain security firm BlockSec, updated its pool contract to counterexploit $2.4 million in USDC from the hacker.

“They updated it such that when the exploit contract deposited the USDC (which it is tricked to believe is a flash loan) as collateral for the minting of USP, they could trick the code that it owed 0 USDC back,” Twitter user nervoir said.

The user added that Platypus sent the USDC from the fake pool to hardcoded addresses to avoid generalized front runners. “The other assets will probably be harder to recover but given that they control the pool code they have significant control,” they said.

The Platypus hack comes as crypto remains rife with exploits and manipulations. As reported, the industry lost approximately $4 billion worth of digital assets to hacks, fraud, scams, and rug pulls last year. 

Among the various forms of illegal activities, hacks accounted for the bulk majority of crypto losses in 2022. More specifically, hackers stole over $3.7 billion, or more than 95% of all crypto lost in the year. Frauds, scams, and rug pulls comprised only 4.4% of the total losses.