- DeFi protocol, Platypus loses $8.5 million to flash loan attack.
- The protocol’s stablecoin has lost its dollar peg and half its value due to the attack.
- The Platypus hacker is allegedly a Twitter user with a now-deactivated account.
Decentralized Finance protocol, Platypus suffered losses worth $8.5 million in a flash loan attack. The protocol took to Twitter, explaining that the hacker took advantage of a logic error in its USP solvency check mechanism.
Platypus Finance is one of many DeFi protocols that have fallen victim to cyber-attacks. dForce suffered a reentrancy vulnerability attack earlier this month, losing $3.6 million worth of crypto assets.
LendHub lost $6 million after the hacker exploited a failure in its IBSC token contract.
Platypus Finance protocol is an automated market maker (AMM) decentralized exchange (DEX) platform for trading stablecoins on the Avalanche blockchain.
The protocol promotes censorship resistance, security, self-custody, and maximum capital efficiency. Platypus offers a single-token provision in which traders can purchase a single PTP token to mitigate the risk of temporary loss for liquidity providers.
Its features also seek to reduce the risks of slippage for traders in markets with frequent volatility.
Platypus Finance Loses Its Dollar Peg
The attack caused its stablecoin, Platypus USD ($USP) lose its dollar peg, with its value dropping by 52% and price falling from $1 to 48 cents. The only funds affected are customers’ deposits, which are covered up to 35%, while funds in other pools remain intact.
According to the protocol, which also disclosed the exploiter’s contact address, the hacker has been contacted to negotiate a bounty in exchange for the return of the funds.
While only USDT has been frozen, Platypus is working with Binance, Tether, Circle, and other associated parties to freeze the hacker’s additional funds to avoid further losses.
“We understand that this is a difficult time for our community, and we appreciate your patience and understanding,” the protocol said.” We want to assure you that we are taking this matter seriously and will keep you informed as we progress.”
Has the Platypus Hacker Been Found?
A tweet from “on-chain sleuth” ZachXBT called out a now deactivated account, alleging that the disclosed exploiter’s address has been traced to the owner.
“I’ve traced addresses back to your account from the @Platypusdefi exploit, and I am in touch with their team and exchanges,” the tweet read. “We’d like to negotiate to return the funds before we engage with law enforcement.”
According to Zach, the account holder’s transaction history led to an ENS address, address retlqw.eth. Zach highlighted a couple of “leads,” which allegedly linked them to the exploit. The Twitter account owner has also deactivated their Instagram.
The official Platypus account has retweeted the message from Zach and encouraged individuals with helpful information to come forward.