Platypus Develops Compensation Plan Following $8.5M DeFi Flash Loan Attack

Decentralized finance (DeFi) company Platypus is developing a compensation plan to reimburse user losses following a flash loan attack that drained almost $8.5 million from the protocol and impacted its stablecoin, which is pegged to the US dollar.

2/ We are working on a plan to compensate the losses, please DO NOT repay your USP and realize the losses. It would be easier for us to manage the damage. Also, you don’t have to worry about liquidation as liquidation is paused, stability fee after the attack will not be counted
— Platypus 🔺 (🦆+🦦+🦫) (@Platypusdefi) February 18, 2023

News Sentiment: Positive

Table of Contents

[Open][Close]

Platypus Asks Users Not to Realize Losses to Manage Issues More Effectively
Flash Loan Attack on Platypus Results in De-Pegging of USD Stablecoin
Attacker Exploits Logic Error in Solvency Check Mechanism of Platypus Contract

Platypus Asks Users Not to Realize Losses to Manage Issues More Effectively

On February 18, Platypus tweeted that it is working on a plan to reimburse users for their losses and urged them to refrain from realizing their losses within the protocol as it would complicate the firm’s management of the issue. The protocol also stated that asset liquidations had been paused.

Platypus has indicated that it is collaborating with various stakeholders, including legal authorities, to recover the funds. More details on the next steps will be released soon. A portion of the funds is locked up in the Aave protocol. Platypus is exploring a way to recover the funds, which would necessitate Aave’s governance forum’s approval of a recovery proposal.

Flash Loan Attack on Platypus Results in De-Pegging of USD Stablecoin

On February 16, blockchain security firm CertiK reported the flash loan attack and shared the alleged attacker’s contract address via a tweet. Nearly $8.5 million was removed from the platform. As a result, the Platypus USD stablecoin lost its peg to the US dollar and fell to $0.33 at the time of writing.

Attacker Exploits Logic Error in Solvency Check Mechanism of Platypus Contract

According to Platypus, the attacker leveraged a flash loan to exploit a logic error in the USP solvency check mechanism in the collateral contract. The company has identified a possible suspect.

An auditing firm named Omniscia conducted a technical post-mortem analysis and discovered that the attack was enabled by incorrectly placed code following an audit. Omniscia audited a version of the MasterPlatypusV1 contract from November 21 to December 5, 2021. However, the version did not contain any integration points with an external platypusTreasure system and, therefore, did not contain the misordered lines of code.

A flash loan attack exploits a platform’s smart contract security to borrow large sums of money without collateral. Once a cryptocurrency asset has been manipulated on one exchange, it is quickly sold on another, allowing the exploiter to profit from the price manipulation.

Platypus is dedicated to compensating users for their losses and resolving the issue as soon as possible. It collaborates with legal authorities and other stakeholders to ensure a swift and just resolution.