DeFi Protocol Platypus to Repay at Least 63% of User Funds After $9M Hack

The Avalanche-based protocol worked with crypto exchange Binance to identify the exploiter responsible for last week's attack.

AccessTimeIconFeb 23, 2023 at 6:04 p.m. UTC
Updated Feb 23, 2023 at 7:14 p.m. UTC

Platypus Finance, a decentralized-finance (DeFi) protocol for stablecoins, will repay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week, it said in a blog post Thursday.

The protocol also worked with crypto exchange Binance to confirm the exploiter’s identity. The hacker used a Binance account that went through know-your-customer checks for a withdrawal request. Platypus said it contacted law enforcement and filed a complaint in France.

The Platypus hack last week exploited a bug in the platform’s solvency check mechanism to steal $9.2 million of digital assets, leading to its native stablecoin USP yo lose its dollar peg.

The exploit consisted of three consecutive attacks, the post explained. The first and most severe drained a total of $8.5 million in stablecoins, including Circle’s USDC, Tether’s USDT, Maker’s DAI and Paxos’ binance USD from the protocol’s main pool.

The protocol recovered $2.4 million of stolen USDC stablecoins with the help of blockchain security firm BlockSec. Additionally, Tether froze $1.5 million of stolen USDT, according to the post.

The second attack mistakenly transferred $380,000 of stablecoins to lending protocol Aave. Platypus has submitted a proposal to Aave’s governance forum for the release of those assets.

Some $287,000 worth of assets were stolen in the third attack. The protocol considered the funds unrecoverable and lost, as the exploiter ran the stolen assets through crypto mixer Tornado Cash and encryption service Aztec Network, according to the post.

In the blog post, the protocol said it hadn't used its $1.4 million treasury to compensate victims of the hack, but might do so over the next six months if Platypus cannot recover more assets.

“This compensation plan ensures that a minimum of 63% of the funds will be distributed to users, regardless of any further update on fund recovery,” the Platypus post said.

If Tether agrees to remint the frozen USDT to Platypus and Aave approves the recovery proposal, then 78% of user funds will be recovered.

Platypus said it aims to restart the stablecoin swap protocol next week, without its depegged stablecoin, USP.

The Platypus exploit is the latest example of crypto’s rampant problem with hackers. Last year, hackers stole $3.8 billion in crypto assets, primarily from DeFi platforms such as Platypus, according to a report by blockchain security firm Chainalysis.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Krisztian  Sandor

Krisztian Sandor is a reporter on the U.S. markets team focusing on stablecoins and institutional investment. He holds BTC and ETH.