Avalanche-based stableswap protocol Platypus Finance says that it’s working on a plan to compensate for the $8.5 million lost in a flash loan attack last Thursday.
The platform has urged the users not to sell their USP tokens as doing so it would make the recovery process harder.
Platypus also said that part of the trapped funds are in AAVE and would require the approval of a governance proposal:
Post-mortem
According to a post-mortem report by Platypus auditor Omniscia, the flashloan attack exploited a vulnerability in its USP solvency check mechanism, which tricked the smart contract into believing that its native token USP was fully backed.
Despite having all the necessary elements to prevent the attack, the smart contract failed because the code was not written in the right order.
“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place,” wrote Omniscia.
Community works to retrieve stolen funds
Following the attack, members of the crypto community came together to retrieve the funds.
On-chain sleuth ZachXBT said on Twitter that he was able to track down the attacker’s wallet address by examining their chain history across various chains. Apparently, the attacker deactivated his social media handles on Instagram and Twitter after being called out.
Counterexploit
In an unexpected twist, Platypus – with the help of smart contract auditor BlockSec – managed to counterexploit the attacker and recover 2.4 million USDC.
According to Twitter user Daniel Von Fange, the attacker forgot to program a method to collect the stolen funds, resulting in the funds being locked in the smart contract. Additionally, they neglected to follow basic Flash Loan 101, allowing anyone to run the flashloan callback code.
“This allowed @BlockSecTeam and the project to retrigger the hack, but with one major twist – the project contracts had been upgraded to steal back from the attacker during the hack,” wrote Daniel.
