Decentralized finance (DeFi) platform Platypus said Thursday night that about $8.5 million in cryptocurrency was stolen by a hacker that the company is now in communication with.
Platypus wrote on Twitter that the hacker used a flash loan attack — a maneuver involving a fast, uncollateralized loan that artificially raises the price of a digital coin before the hacker dumps it at a profit.
On Friday afternoon, the company said it had worked with blockchain security firm BlockSec to recover $2.4 million worth of USDC, a cryptocurrency pegged to the U.S. dollar. It was not clear from the post how they had obtained the funds.
Dear Community,— Platypus (++) (@Platypusdefi) February 17, 2023
We regret to inform you that our protocol was hacked recently, and the attacker took advantage of a flaw in our USP solvency check mechanism. They used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral.
Platypus said in Thursday’s statement that it had contacted the hacker to negotiate a bounty in exchange for the return of the funds. Only 35% of Platypus’ user deposits are covered by other holdings, the platform said.
“We are currently working with several parties, including Binance, Tether, and Circle, to freeze the funds of the hacker and prevent further losses. Right now, the USDT has been frozen. We are also exploring options for compensation and reimbursement for affected investors,” they wrote.
DeFi operations tout their freedom from centralized authorities and independence from the mainstream financial industry, but those features can also make it much tougher for users to recover funds after a disruption.
Blockchain security researcher ZachXBT was allegedly able to trace the stolen funds back to a Twitter account that was immediately deleted when contacted. The researcher, who is working with Platypus, said they would “like to negotiate returning of the funds before we engage with law enforcement.”
The researcher explained that the transaction history of the accounts associated with the attack on Platypus could be traced back to an account on OpenSea — a platform facilitating the sale of NFTs – that was linked to the Twitter account.
The account also liked a Tweet about the Platypus hack before it was deleted.
I’ve reviewed your transaction history across multiple chains which lead me to your ENS address retlqw.eth— ZachXBT (@zachxbt) February 17, 2023
Your OpenSea account links directly to your Twitter and you liked a Tweet about the Platypus exploit. pic.twitter.com/ojgNBwKc2K
Blockchain security firm CertiK told The Record that the attack took place on Thursday and involved a complicated series of transactions that ended up draining Platypus of nearly $9 million.
Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. Last year, scammers took $9 million from Crema Finance and stole $11.2 million worth of Binance Coin from DeFi platform Elephant Money.
Cream Finance — not to be confused with Crema Finance — was hit with three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February and another $29 million in August. Two weeks ago, blockchain research company Chainalysis said more than $3.1 billion was stolen from DeFi platforms last year.
Some of the hackers behind these flash loan attacks have argued that they are not illegal because they simply take advantage of security lapses in the platform code.
I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.— Avraham Eisenberg (@avi_eisen) October 15, 2022
The hacker Avraham Eisenberg publicly touted his $110 million hack of Mango Markets last year. But federal authorities disagreed with his assessment, arresting him last December and charging him with commodities fraud and commodities manipulation on the premise that he was effectively robbing other investors of their assets.