Key Points:

  • Blockchain security firm BlockSec helped Platypus recover $2.4 million for Platypus by taking advantage of a vulnerability in an attacker’s contract.

  • The attacker could only cash out $270,000 out of the nearly $9.1 million stolen.

Cryptocurrency security firm BlockSEC helps Platypus get back $2.4 million from attackers by implementing an upgraded proxy. With this help, the attacker can only get a small part of the original stolen funds.

With assistance from blockchain security company BlockSec, the Platypus protocol was breached yesterday, resulting in at least 2.4 million USDC being returned to the compromised platform.

    

We help @Platypusdefi recover 2.4M USDC from the attacker contract successfully!BlockSec will always be here to secure the whole ecosystem. 

— BlockSec (@BlockSecTeam)    February 17, 2023   

According to MetalSleuth, a visualization tool from Blocksec, of the nearly $9.1 million in stolen monies from Platypus, it was discovered that the attacker could only pay out $270,000.

$8.5 million of the stolen money has been frozen in the contract where it was transferred, and another $380,000 from a second exploit attempt was unintentionally routed back to Aave.

BlockSec’s strategy for exploiting the attacker’s contract flaw centered around getting back some of the stolen money for Platypus.

   

“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project’s account,”

Yajin Zhou, co-founder of BlockSec told The Block.  

Using the proof of concept we produced, the project was able to recover $2 million. According to Zhou, this was done in order to reclaim the money from the attacker’s contract. He also said that $8 million in assets were left stranded because the attacker contract lacks a transfer function.

To get back the crypto, BlockSec used a callback function in the attacker’s contract.

   

“The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. And during this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract (which is a proxy),”

Zhou said.  

As mentioned in an earlier Coincu News article, the Platypus Stablecoin Exchange Project was hacked with an estimated loss of $9 million. The project was hacked through flash loans on AVAX. The cause is believed to stem from a vulnerability in verifying the MasterPlatypusV4 contract using the EmergencyWithdraw function.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Foxy

Coincu News