Decentralized finance (DeFi) company Platypus is working on a compensation plan for user losses after a flash loan attack drained nearly $8.5 million from its protocol, affecting its dollar-peg stablecoin.
In a Tweet on February 18, Platypus announced that it will work on a plan to compensate for the damage and asks users not to notice any losses in the protocol, saying that this will make it more difficult for the company to manage the problem. The liquidation of assets is also paused, the protocol says:
2 / We are working on a plan to offset the loss, DO NOT pay back USP and recognize the loss. It will be easier for us to manage the damage. Also, you don’t need to worry about liquidation because liquidation is stopped, the cost of stability after attack will not count
– Platypus (++) (@Platypusdefi) February 18, 2023
According to the company, various parties are now involved in the recovery process, including law enforcement officials. More details on the next steps will be revealed soon, Platypus said.
Part of the fund is locked in the Aave protocol. Platypus is exploring ways to potentially recover the funds, which will require the approval of the government forum Aave the recovery proposal.
Blockchain security company CertiK first reported the lightning loan attack on its platform via a tweet on Feb.16, along with the contract address of the alleged attacker. Nearly $8.5 million was moved from the protocol, and as a result, the Platypus USD stablecoin became de-pegged from the US dollar, dropping to $0.33 at the time of writing.
“The attackers used flashloan to exploit a logic error in USP’s solvency checking mechanism in contracts holding collateral,” the company said. A potential suspect has been identified.
A technical post-mortem analysis carried out by audit firm Omniscia revealed that the attack could have been carried out with incorrect code after being audited. Omniscia reviewed the version of the MasterPlatypusV1 contract from November 21 to December 5, 2021. However, the version “does not have an integration point with the external platypusTreasure system” and therefore does not contain any erroneous lines of code.
The flash loan attack exploits the smart contract security of the platform to borrow large amounts of money without collateral. Once a cryptocurrency asset has been manipulated on one exchange, it is quickly sold on another, allowing exploiters to profit from price manipulation.