On Tuesday, a popular DeFi protocol, Platypus Finance commenced consultation on how to recover the funds exploited by its hacker. In a Twitter announcement by the protocol, it wants members of its community to come up with opinions that can aid the recovery of the funds. According to Platypus, the proposal will graduate into a voting stage in the next couple of days.
Through the voting, members of the community want to decide on how best to recover the funds. It is noteworthy that the DeFi protocol endured a $9 million hack on its network last Thursday. The news of the exploitation was first relayed by CertiK, a blockchain security firm. According to the firm, the hacker leveraged on flash loans obtainable in Avalanche (AVAX) blockchain to compromise one of the functions in Platypus’ smart contracts.
Side notes on Platypus exploitation
According to findings, the Platypus hacker consequently deposited $44 million of stablecoins into the application. However, he realized that he could only mint an equivalent amount of the deposited stablecoins. Owing to this, the hacker then reportedly used the emergency withdrawal function of the platform to gain access to the deposited $44 million and also the minted USP. Afterward, Certik confirmed that the attacker then exchanged the USP for other crypto assets before repaying the loan. It is noteworthy that this development thus leaves PlatyPus with $9 million loss. As of press time, most of these funds are in the contract address of the hacker while others have been sent to pools.
Further, another blockchain security protocol, PeckShield explained that the exploitation was possible because the hacker could compromise the flaw in PlatyPus “emergency withdraw” feature. The flaw, according to the PeckShield, made the contract to miscalculate the health of the hacker’s account. This thus enabled the hacker to withdraw more than the collateral he deposited.
Shortly after, ZachXBT, a popular blockchain sleuth announced that he had discovered the identity of the hacker. ZachXBT also claimed he identified the domain and OpenSea account associated with the attacker’s wallet.
Notably, the PlatyPus team confirmed the exploitation. Ever since, the team has been working with numerous firms, including Binance, Tether and others to freeze the funds. Later, it announced that all the stolen funds have been frozen. Now, the protocol is keen on recovering a part of the funds, $380 thousand stuck in the Aave contract.