French police arrest two suspects over Platypus Finance hack

Platypus Finance, a decentralized finance (DeFi) protocol for stablecoins, yesterday announced that french authorities had arrested and summoned two suspects who had reportedly exploited their platform earlier. 

Platypus thanked the France National Police, Binance, and ZackXBT for helping identify and track the suspects. 

Update: @PoliceNationale have arrested and summoned 2 suspects who were reportedly exploiting our platform.
Thanks to the assistance of @binance and @zachxbt in tracing their identities.
Kudos to the prompt action by the authorities!

— Platypus 🔺 (🦆+🦦+🦫) (@Platypusdefi) February 25, 2023

The three-stage hack 

The hack occurred in three stages, Platypus explained in a blog post. The first stage was the most severe, with $8.5m in stablecoins such as Tether’s USDT, Circle’s USDC, Maker’s DAI, and Binance’s BUSD being drained from the DeFi protocol’s main pool.

Since the attack, we've been working with security experts & stakeholders to recover lost funds, trace the hacker, and explore potential solutions to retrieve trapped funds.
Here's an update on the progress made thus far 🧵
Check our medium for more info👇https://t.co/VoNYl9MAtd

— Platypus 🔺 (🦆+🦦+🦫) (@Platypusdefi) February 23, 2023

With assistance from the blockchain security company, BlockSec, following the hack, Platypus recovered $2.4m of the stolen USDC stablecoins. In addition, Tether froze $1.5m in stolen USDT. 

The second attack accidentally transferred $380,000 worth of stablecoins to the popular lending protocol Aave. Platypus reached out to Aave’s governance forum to release those assets.

During the third and final attack, the hacker stole $287,000 worth of unrecoverable assets as they moved them through the crypto mixer Tornado Cash and the encryption service Aztec Network.

According to Platypus, they had $1.4m in treasury reserves but hadn’t used them to pay the hacking victims anything. But, they might have to spend treasury funds if the protocol could not recover more assets over the subsequent six months.

If Tether could assist with defrosting the frozen, 78% of the users’ monies would be recovered thanks to USDT and Aave’s approval of the recovery request. The following week, Platypus announced they would revive the stablecoin swap protocol sans the depegged stablecoin, USP.

Platypus to compensate victims

On Feb. 23, the DeFi platform laid out a compensation plan, saying it would repay a minimum of 63% of the funds to users affected by the recent exploit.

Hackers drained more than $9m from the protocol last week. Platypus worked with crypto exchange Binance to confirm the exploiter’s identity. The hacker was using a Binance account that had gone through KYC checks for a withdrawal request. Platypus stated they had contacted law enforcement and filed a complaint in France.

During the hack, the hacker exploited a bug in the platform’s solvency check mechanism, stealing $9.2m of digital assets and causing the platform’s native stablecoin USP to lose the dollar peg.

While the recovery process is ongoing, Platypus Finance remains committed to providing its users with a secure and reliable platform for their financial needs.