Platypus, a DeFi stablecoin swapping protocol on Avalanche, was exploited for $8.5 million on Thursday evening.
The exploit occurred via a flashloan attack that took advantage of a flaw in its USP solvency check mechanism — which tricked Platypus’s smart contracts into thinking that USP was fully backed. USP is Platypus’ native stabletoken.
Soon after the exploit, crypto community members came together to recover the funds.
ZachXBT — a crypto scam researcher — said on Twitter that he tracked down the attacker’s wallet address after reviewing their own chain history across multiple chains.
“Your OpenSea account links directly to your Twitter and you liked a Tweet about the Platypus exploit,” ZachXBT tweeted.
“We’d like to negotiate returning of the funds before we engage with law enforcement,” he wrote.
Platypus — meanwhile and with the help of BlockSec — updated its pool contract to counterexploit $2.4 million in USDC from the hacker.
“They updated it such that when the exploit contract deposited the USDC (which it is tricked to believe is a flash loan) as collateral for the minting of USP, they could trick the code that it owed 0 USDC back,” Twitter user nervoir said.
The USDC from the fake pool was sent to hardcoded addresses to avoid generalized front runners, nervoir tweeted.
“The other assets will probably be harder to recover but given that they control the pool code they have significant control,” they said.
Platypus’s stablecoin, USP, lost its peg to the dollar, dropping to $0.48. It then briefly recovered to $0.97, but has since dipped back down to $0.48, data from CoinGecko shows.