The hacker who exploited Platypus only made off with a small portion of the initially stolen funds.
Blockchain security firm BlockSec was able to take advantage of a loophole in the attacker’s contract and call back 2.4 million US Dollar Coins into Platypus’ address with an upgrade proxy implementation.
After the Platypus protocol was hacked yesterday, at least 2.4 million USDC was returned to the exploited platform with help from blockchain security firm BlockSec.
Of the almost $9.1 million in stolen funds from Platypus, it was revealed that the attacker could only cash out $270,000, according to MetalSleuth, a visualization tool from Blocksec.
Some $8.5 million of stolen funds are frozen in the contract they were transferred to, and another $380,000 from a second attempted exploit were accidentally sent back to Aave, on-chain data show.
Retrieving a portion of the stolen funds for Platypus revolved around BlockSec’s plan to take advantage of a loophole in the attacker’s contract.
“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project's account,” Yajin Zhou, co-founder of BlockSec told The Block.
"The project recovered $2 million using the proof of concept provided by us. This was to recover the funds in the attacker's contract,” according to Zhou, who added that some $8 million in assets were stranded since the attacker contract lacks a transfer function.
