After being targeted by a flash-loan assault, the decentralized finance (DeFi) protocol, Platypus Finance, incurred a loss of $8.5 million. On the other hand, with the assistance of certain on-chain sleuths, the initiative was successful in locating the hacker and even recouping part of the stolen funds.
In order to steal user funds on Thursday, an attacker used a flash loan attack to take advantage of a vulnerability in the Platypus USD (USP), the stablecoin that is used by the protocol. The initiative confirmed this information in a statement on Twitter. It stated, “They employed a flashloan to exploit a logic mistake in the USP solvency check process in the contract holding the collateral.”
According to the information provided by the project, approximately $8.5 million worth of funds were taken from the primary pool. As a direct consequence of this, the Platypus USD stablecoin was uncoupled from the value of the US dollar, causing its price to plummet to an all-time low of $0.33. This represents a decline of more than 66% in comparison to its intended value of $1.
Platypus also mentioned that other pools were untouched and that deposits were protected to the extent of 85%. The company stated that it had initiated communication with the hacker in an effort to negotiate a bounty in exchange for the recovery of the cash. In addition, the company has begun working with key cryptocurrency companies in an effort to freeze the funds.
Shortly after that, a crypto on-chain investigator by the name of ZachXBT disclosed that a now-deleted Twitter account by the name of @retlqw was responsible for the hack. ZachXBT asserted that the addresses identified by Platypus are connected to the account.
ZachXBT sent a tweet to the user @retlqw in which he said, “I’ve traced addresses back to your account from the Platypus exploit, and I am in touch with their team and exchanges.” The comment was directed at the user. “Before we get involved with law enforcement, we would prefer to negotiate the return of the monies,” you said.
ZachXBT informed me that he was able to track down the hacker by examining the hacker’s transaction history over numerous chains, which ultimately led me to the hacker’s ENS address, which was retlqw.eth. ZachXBT indicated that he was able to locate the hacker. The crypto researcher pointed out that your OpenSea account is directly linked to your Twitter account and that you liked a Tweet that discussed the Platypus attack.
In the meantime, Platypus, with the assistance of the blockchain security company BlockSec, changed its pool contract in order to counter-exploit the $2.4 million in USDC that the hacker had stolen.
A person on Twitter by the name of nervoir said that “they changed it such that when the exploit contract deposited the USDC (which it is deceived to believe is a flash loan) as collateral for the minting of USP, they could trick the code that it owes 0 USDC back.”
The user added that Platypus had sent the USDC from the bogus pool to the hardcoded addresses in order to avoid having a generalized front-runner. They said, “The other assets will probably be tougher to recover, but given that they control the pool code, they have significant control.” “The other assets will definitely be harder to recover.”
The hack of Platypus occurs at a time when crypto continues to be plagued by exploits and manipulations. According to the reports, the industry suffered a loss of digital assets worth around $4 billion due to breaches, fraud, scams, and rug pulls in the previous year.
In 2022, the vast majority of cryptocurrency was stolen by hacking, which was one of the many unlawful actions that took place. To be more explicit, hackers stole almost $3.7 billion, which is equivalent to more than 95% of all crypto assets that were lost throughout the year. Fraud, cons, and other tricks like pulling the rug out from under someone only accounted for 4.4% of the total losses.
08 Mar 2023
© 2015-2023 Coinposters. All rights reserved!