Platypus salvages $2.4 million in hacked funds with BlockSec’s help

Published 50 minutes earlier on
Published 2 hours and 50 minutes earlier on

After the Platypus protocol was hacked yesterday, at least 2.4 million USDC was returned to the exploited platform with help from blockchain security firm BlockSec.

Of the almost $9.1 million in stolen funds from Platypus, it was revealed that the attacker could only cash out $270,000, according to MetalSleuth, a visualization tool from Blocksec.

Some $8.5 million of stolen funds are frozen in the contract they were transferred to, and another $380,000 from a second attempted exploit were accidentally sent back to Aave, on-chain data show.

Retrieving a portion of the stolen funds for Platypus revolved around BlockSec’s plan to take advantage of a loophole in the attacker’s contract.

“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project’s account,” Yajin Zhou, co-founder of BlockSec told The Block.

“The project recovered $2 million using the proof of concept provided by us. This was to recover the funds in the attacker’s contract,” according to Zhou, who added that some $8 million in assets were stranded since the attacker contract lacks a transfer function.

Callback the hack

To get back the crypto, BlockSec used a callback function in the attacker’s contract.

“The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. And during this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract (which is a proxy),” Zhou noted.

“So the project can first invoke the callback function in the attacker contract to approve USDC to the project’s contract. Then the project contract can withdraw the USDC from the attacker contract by upgrading the proxy to a new implementation,” said Zhou.

Correction: Updated to correct Platypus’ formal name.