Cyber Incident Victim: Platypus Finance
Date:
Feb 2023
Location:
United States of America
Summary
A decentralized finance protocol suffered an exploit due to a flaw in its USP solvency check mechanism, enabling attackers to leverage a flash loan and manipulate a logic error in collateral contracts, resulting in losses totaling approximately $9.19 million. While user deposits were initially only partially covered, collaborative efforts with exchanges and blockchain security firms led to the freezing of $1.5 million USDT and recovery of $2.4 million USDC. Two individuals were arrested following identification through on-chain analysis and a withdrawal attempt linked to a Binance account, with authorities seizing €210,000 in cryptocurrency. The suspects claimed intentions to return funds after reporting the vulnerability, but legal proceedings were initiated against them.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 16, 2023, Platypus Finance, a decentralized finance (DeFi) protocol, suffered an attack exploiting a vulnerability in its USP solvency check mechanism. The attacker leveraged a flash loan—a type of uncollateralized loan repaid almost instantly—to manipulate a logic error in the collateral contract’s solvency verification process. This resulted in the unauthorized extraction of funds primarily from the protocol’s main pool. Platypus Finance confirmed losses totaling approximately $8.5 million, affecting user deposits covered only up to 35% at the time of disclosure. Funds in other pools remained unaffected. The attacker’s contract address was publicly shared, alongside transaction details of the exploit. Platypus Finance initiated contact with the hacker to negotiate a bounty for fund return while collaborating with external entities including Binance, Tether, and Circle to freeze stolen assets. These efforts successfully immobilized $1.5 million in USDT, as confirmed in their communication. The protocol committed to exploring compensation options for impacted users but did not specify remediation timelines or methods at this stage.
Within days of the breach, French law enforcement arrested two French nationals, aged 19 and 20, in the Paris region in connection with the attack. Investigators linked the suspects to the theft of approximately $9.19 million, with Platypus attributing their identification to a collaborative effort involving Binance’s intelligence and on-chain analyst Zach XBT. One attacker inadvertently revealed their identity by attempting a USDT withdrawal via a Binance account. BlockSec, a blockchain security firm, assisted in recovering $2.4 million in USDC, limiting the hackers’ retained proceeds to roughly €210,000 ($210,000 equivalent in cryptocurrencies), later seized by authorities. Police emphasized the arrest’s role in halting a “large-scale scam” against a U.S. cryptocurrency exchange firm. The suspects faced judicial proceedings, with one asserting intentions to return funds after purportedly discovering the vulnerability. Legal outcomes and the status of non-recovered assets were not detailed in available disclosures. Platform operations, including deposit coverage assurances beyond initial 35% thresholds, remained unclear post-incident.