DeFi Protocol Platypus to Repay at Least 63% of User Funds After $9M Hack

Platypus Finance, a decentralized-finance (DeFi) protocol for stablecoins, will repay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week, it said in a blog post Thursday.

The protocol also worked with crypto exchange Binance to confirm the exploiter’s identity. The hacker used a Binance account that went through know-your-customer checks for a withdrawal request. Platypus said it contacted law enforcement and filed a complaint in France.

The Platypus hack last week exploited a bug in the platform’s solvency check mechanism to steal $9.2 million of digital assets, leading to its native stablecoin USP yo lose its dollar peg.

The exploit consisted of three consecutive attacks, the post explained. The first and most severe drained a total of $8.5 million in stablecoins, including Circle’s USDC, Tether’s USDT, Maker’s DAI and Paxos’ binance USD from the protocol’s main pool.

Read more: How Solvency Check Error Led to USP Depegging on Avalanche-Based Platypus Finance

The protocol recovered $2.4 million of stolen USDC stablecoins with the help of blockchain security firm BlockSec. Additionally, Tether froze $1.5 million of stolen USDT, according to the post.

The second attack mistakenly transferred $380,000 of stablecoins to lending protocol Aave. Platypus has submitted a proposal to Aave’s governance forum for the release of those assets.

Some $287,000 worth of assets were stolen in the third attack. The protocol considered the funds unrecoverable and lost, as the exploiter ran the stolen assets through crypto mixer Tornado Cash and encryption service Aztec Network, according to the post.

In the blog post, the protocol said it hadn't used its $1.4 million treasury to compensate victims of the hack, but might do so over the next six months if Platypus cannot recover more assets.

“This compensation plan ensures that a minimum of 63% of the funds will be distributed to users, regardless of any further update on fund recovery,” the Platypus post said.

If Tether agrees to remint the frozen USDT to Platypus and Aave approves the recovery proposal, then 78% of user funds will be recovered.

Platypus said it aims to restart the stablecoin swap protocol next week, without its depegged stablecoin, USP.

The Platypus exploit is the latest example of crypto’s rampant problem with hackers. Last year, hackers stole $3.8 billion in crypto assets, primarily from DeFi platforms such as Platypus, according to a report by blockchain security firm Chainalysis.

Read more: With Hacks at a Record High, Crypto Needs to Find Better Ways to Keep Users Safe