Update on Recovery Efforts After The Exploitation
After a $9.1 million exploit, Platypus team is working with security experts and stakeholders to recover the lost funds and identify the hacker. Let’s dive into the details and be sure not to miss our compensation plan and future plan at the end.
Platypus recently suffered a major exploitation resulting in a total loss of $9.1 million from three separate attacks carried out by the same exploiter. The attacks involved the theft of various stablecoins and other assets. Since the incident, our team has been working tirelessly with security experts and other stakeholders to investigate the attacks and devise a plan to recover the lost funds.
In this article, we provide an update on the recovery efforts and the progress made thus far, as well as our plans for the future.
Before we delve into the details of the recent attack on Platypus, we want to reassure everyone that stableswap’s operation has not been and will not be impacted. Our investigation revealed that the bug responsible for the attack was a logic error in the USP solvency check mechanism within the collateral-holding contract.
Details of the Attacks
At 7:16 pm UTC on February 16th, Platypus was exploited, resulting in a significant loss of $9.19 million due to three separate attacks. Details of these attacks will be disclosed in the following paragraphs, and information about the destination of the funds will also be shared.
Before the attack, the Main Pool held assets valued at $13.4 million, including 3.9m USDC, 2.6m USDT, 3.1m USDC.e, 2.1m USDT.e, 773k DAI.e, and 911k BUSD. Please note that the treasury we kept in the pool for pool solvency was excluded.
Exploiter contract: https://snowtrace.io/address/0x67afdd6489d40a01dae65f709367e1b1d18a5322/
Exploit: https://snowtrace.io/tx/0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
Exploiter: https://snowtrace.io/address/0xeff003d64046a6f521ba31f39405cb720e953958
The first attack resulted in the theft of approximately 8.5 million assets, which included 2.4 m USDC, 1.5m USDT, 1.9m USDC.e, 1.2m USDT.e, 691k DAI.e, and 687k BUSD. These assets were subsequently locked in the contract.
https://snowtrace.io/tx/0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
We have contacted the stablecoin issuers immediately to freeze the stolen assets and 1.5m USDT have been frozen. We have also collaborated closely with multiple security teams to conduct an investigation and explore possible solutions to recover the stolen assets. With the assistance of the BlockSec team, we were able to leverage the existing code in the attack contract and retrieve 2.4 million USDC by transferring it from the contract to Platypus’ contract. Due to the contract’s absence of a transfer function, neither the exploiter nor anyone else can access the remaining assets, making them permanently inaccessible.
The second attack resulted in approximately 380k assets being mistakenly sent to the Aave v3 contract, which included 83k USDC, 96k USDT, 69k USDC.e, 79k USDT.e, 26k DAI.e, and 24k BUSD.
https://snowtrace.io/tx/0x919266aa66d7c9a6af02dead5effc1cc68ab7b87890b52e5fc1e20a7041aa84d
We reached out to the Aave team and worked together to find a solution to retrieve the assets that were mistakenly transferred to their contract. After discussions, we submitted a proposal to their governance forum, which will be voted on. Once the proposal is approved, we will partner with the Aave team to create a recovery contract that will transfer the exploited funds from the Aave pool to Platypus’ contract.
The third attack resulted in the theft of assets valued at approximately $287k.
https://snowtrace.io/tx/0x997bfe1fe0284ebbde58fdab7d796aae5e5d3ac1da7b20cf128961e77d35eed4
The exploiter converted the stolen assets into approximately 14,316 AVAX and then bridged the AVAX to ETH on the Ethereum network.
Actions Taken
The Platypus team was promptly alerted to the attacks after the third incident and took immediate action by halting all activity on the main pool and USP. Additionally, several measures were implemented to address the situation:
- Contacting stablecoin issuers to freeze the stolen assets, resulting in the freezing of USDT.
- Working with @zachxbt to analyze his on-chain activity and track down the identity of the exploiter. Zach’s assistance has been invaluable. We are grateful for Zach’s support in this issue.
- Reaching out to Binance to identify the exploiter, who had submitted a USDT withdrawal request using a Binance account that met the KYC requirements. The exploiter’s identity has since been confirmed, Binance and our team have engaged with law enforcement together to pursue further action. A case has been filed in France. We appreciate the prompt responses and support from the Binance team in this matter.
- Working closely with the BlockSec team, the Platypus team was able to successfully recover 2.4 million USDC that had been trapped in the contract from the first attack.
- Contacting Aave team and submitting proposal to their governance forum to rescue 380k assets (~2.8% of pre-attack assets).
- Reaching out to several top-tier legal firms proactively to explore our legal options and determine the best course of action for further actions.
Compensation Plan
After the attack, around 35.4% of the funds remained in the main pool. The surplus that we kept in the main pool will be fully utilized to compensate the affected LPs for their loss. As we have recovered 2.4 million USDC (17.7% of pre-attack assets) from the attack contract, approximately 53.1% of the pool funds will be refunded to all affected LPs. We are currently discussing with various parties to help recreate stablecoins that were trapped in the attack contract. Once any stablecoins are retrieved, we will distribute the reminted tokens to LPs on a pro-rata basis.
At present, we have chosen not to use the 1.4 million treasury to compensate for the LP loss. This decision has been made to prevent any potential legal conflicts. We are in constant communication with stablecoin issuers to recover the lost stablecoins, and to facilitate negotiations, we will not use the treasury for refunds initially. The treasury will be set aside for six months, and if the situation does not improve as we anticipate, the full 1.4 million (10.4% of pre-attack assets) will be distributed to all affected LPs.
This compensation plan ensures that a minimum of 63% of the funds will be distributed to users, regardless of any further update on fund recovery. In addition, if our proposal submitted to Aave is approved and Tether confirms reminting the frozen USDT, we will be able to recover approximately 78% of user’s funds.
The legal process may take some time. However, once we have received the reminted tokens, we will work diligently to distribute them to all affected LPs with all due haste.
Update on Progress
We want to update you on our progress in negotiating with stablecoin issuers to recover the lost tokens for this process.
1.5 million USDT (11.4% of pre-attack assets)
Responded by: Tether
Details: After the attack, 1.5 million USDT were frozen by Tether. We have already contacted legal enforcement, and we are now communicating closely with the Tether team for the reminting process.
2 million USDT.e, 1.9 million USDC.e, 691k DAI.e (28.3% of pre-attack assets)
Responded by: Ava Labs
Details: The .e assets represent the tokens that were transferred from Ethereum to Avalanche via Avalanche Bridge. Upon transferring the native token from Ethereum to Avalanche, the native token is locked and the .e token is minted by Avalanche Bridge. We are currently exploring the possibility of reminting these .e assets with the Ava Labs team. This process is complex and requires a lot of communication and coordination. We have already contacted the general counsel of Ava Labs, and they will be discussing with Tether and Circle to explore potential solutions. We will continue to closely follow up with their team to work towards the best possible outcome.
687k BUSD (5.0% of pre-attack assets)
Respond by: Binance
Details: We have been in communication with Binance to address the issue of the BUSD assets that remain trapped in the attack contract. We are exploring potential solutions with Binance team and will provide updates to the community on our progress in this matter.
Confirmed loss: 14,316 AVAX, aka the loss from the third attack (2.1% of pre-attack assets)
Details: The stolen tokens have been converted to ETH and bridged to Ethereum. Those tokens have been laundered through Tornado Cash and Aztec Protocol.
To cover the loss, we will be utilizing the 1.4m treasury, and the remaining treasury will be fully reserved to refund the affected LPs.
We have been in ongoing discussions and making progress with relevant parties, and after we received legal opinion, it appears that there is a possibility of reminting the approximately 6 million assets that are stuck in the attack contract. However, the decision and timeframe for this process are still dependent on the responsible parties. We are dedicated to working closely with all parties involved and making every effort to recover all funds. Any updates will be shared on our social media channels.
Future actions
In addition to the compensation plan, we would like to share our future plans with our community. We have filed a police case where the exploiter is located, and we will also file a case with the cybersecurity department to take legal action against the exploiter.
After we refund the recovery funds to LPs in the main pool, we will relaunch the pool without USP. All USP-related functions will be removed. We target to relaunch the pool next week, and we’ll keep the community updated on our progress
Governance will be our top priority after the relaunch of the main pool. We recognize the importance of governance in moving towards decentralization and have committed to building a governance forum where the community can submit proposals and engage with all proposals. We plan to deploy on-chain voting later to ensure that everyone can participate in decision-making in the future.
Moving forward, we intend to submit proposals for any innovative ideas to the governance forum, where the community can collectively make decisions about new features.
Final words
At Platypus, we understand that the recent exploit has been concerning for our community. However, we want to assure you that our core design, the stableswap, remains sound and has been performing well.
As we move towards full decentralization, we believe Platypus will grow stronger in the future. Our team is committed to continuing to present and deliver innovative features that benefit our community. Together, we can build more innovative features and deliver more for the ecosystem.
Update on Recovery Efforts After The Exploitation was originally published in Platypus.finance on Medium, where people are continuing the conversation by highlighting and responding to this story.