Platypus Finance protocol hacked for $2 million

[Carding 4 Carders]

The Platypus Finance DeFi project on the Avalanche network fell victim to an attack, losing about $2 million in digital assets. PeckShield analysts were the first to notice this.

Update: total loss >$2m https://t.co/JnJQjn4Aik
— PeckShieldAlert (@PeckShieldAlert) October 12, 2023

After the hack was reported, the project temporarily stopped all liquidity pools "due to suspicious activity."

Due to suspicious activities in our protocol, we have taken the proactive measure of temporarily suspending all pools.
Further updates will be communicated to the community in a timely manner.
Thank you for your patience and understanding during this time.
— Platypus (@Platypusdefi) October 12, 2023

https://twitter.com/Platypusdefi/status/1712365385100689584?ref_src=twsrc%5Etfw

The attacker probably used an instant loan exploit targeting AVAX-sAVAX pools. Official comments about the vulnerability have not yet been received.

Platypus was already attacked in February of this year, as a result of which an unknown person withdrew assets worth $8.5 million. In addition, the stablecoin of the USP project lost its peg to the dollar after the hack.

The team reported that the hacker took advantage of an instant loan and a logical error in the solvency verification mechanism in the collateral contract. Later, the French police detained the suspects in the attack.

The funds in the main pool of Platypus covered approximately 35% of user deposits. Developers still pay compensation for the "stable coin"that has lost its binding. In total, they returned about $1.3 million.

Update on USP compensation
1/ We used the reserved treasury for the 2nd round of compensation today.
Please note that volatile asset values have fluctuated since the plan's inception, resulting in a total refund of around 1.3m.
Compensation Page: https://t.co/LYUuUsKR8b
— Platypus (@Platypusdefi) September 26, 2023

According to Immunefi, in the third quarter, the industry's losses from hacking and fraud reached $685.5 million — 59.9% more than in the same period last year.

 

[Brother]

A French court has dropped criminal charges against those involved in hacking the $8.5 million Platypus Finance DeFi protocol in February 2023. This is reported by Le Monde.

The attackers, identified in the report as brothers Mohammed and Benamar M., were detained a few days after the attack. Information from Binance and the well-known on-chain detective ZachXBT helped identify them.

Mohammed was charged with several criminal counts, including access to an automated data processing system, fraud and money laundering. The hacker faced up to 5 years in prison. Claims against his brother related to receiving stolen funds.

During the court hearing on October 26, Mohammed did not dispute the facts. However, he said that he acted in good faith and is an "ethical hacker". Its goal, allegedly, was "to recover endangered funds from the Platypus platform, in order to return them later." According to him, he expected a bonus of 10% of the amount.

Mohammed also claimed to have used an "instant loan" attack to exploit a randomly discovered vulnerability in the protocol while studying how it works.

The court considered that charges of unauthorized access to computer systems cannot be applied to his actions, since this is a publicly available smart contract.

The instance also concluded that the Platypus exploit was not a scam. Accordingly, the charges against the brothers of money laundering and receiving stolen goods were dropped.

However, the court reminded them that the DeFi project can bring a civil lawsuit against them.

During the attack, Mohammed mistakenly blocked millions of dollars worth of tokens and was only able to cash out ~$270,000.

@Platypusdefi was exploited resulting in a total loss of ~$9.05M. Although the project suffered significant losses from the three attacks, the attacker was only able to control a total of ~$270K from the third attack. The exploiter's initial fund came from @FixedFloat

After… https://t.co/ckq4XWPexg
— MetaSleuth (@MetaSleuth) February 17, 2023

Platypus also managed to recover assets worth approximately $2 million with the help of BlockSec specialists.

In October, the Avalanche-based protocol was attacked again. The losses amounted to about $2 million. The hacker used an exploit of the instant loan mechanism. The hacker returned 90% of the stolen funds to Platypus for a reward of ~18,000 AVAX (~$164,700 at that time).