Platypus is assisted in recovering $2.4 million from attackers by cryptocurrency security company BlockSec through the use of an improved proxy. The attacker can only recover a small portion of the initial stolen monies with this assistance.
The Platypus protocol was compromised yesterday with help from blockchain security firm BlockSec, resulting in at least 2.4 million USDC being restored to the hacked platform.
We help @Platypusdefi recover 2.4M USDC from the attacker contract successfully!
— BlockSec (@BlockSecTeam) February 17, 2023
BlockSec will always be here to secure the whole ecosystem. https://t.co/13JkXxy2II
The attacker could only pay out $270,000 of the approximately $9.1 million in Platypus money seized. A visualization tool from BlockSec.
At the contract where it was moved, $8.5 million of the stolen funds have been frozen, and another $380,000 from a second exploit attempt was accidentally routed back to Aave.
BlockSec focused on retrieving some of the stolen money back for Platypus in order to take advantage of the attacker's contract weakness. Ajin Zhou, co-founder of BlockSec stated:
"By leveraging this loophole, the project can transfer the funds from the attacker contract to the project’s account.”
We were able to recuperate $2 million for the project by using the proof of concept we created. Zhou claimed that this was done to recover the funds from the attacker's contract. In addition, he claimed that the attacker contract's lack of a transfer function resulted in the loss of $8 million in assets.
BlockSec used a callback function in the attacker's contract to recover the encryption. Zhou stated:
“The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. And during this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract (which is a proxy).”
The Platypus Stablecoin Exchange Project was hacked, With an estimated loss of $9 million. Using quick loans on AVAX, the project was compromised. The EmergencyWithdraw function, which is used to check the MasterPlatypusV4 contract, is thought to be the root of the problem.
