Platypus Finance, a decentralized finance (DeFi) protocol for stablecoins, will repay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week, the protocol said in a blog post Thursday.
The protocol also worked with crypto exchange Binance to confirm the exploiter’s identity. The hacker used a Binance account that went through know-your-customer (KYC) checks for a withdrawal request. Platypus said it contacted law enforcement and filed a complaint in France.
The Platypus hack last week exploited a bug in the platform’s solvency check mechanism to steal some $9.2 million of digital assets, leading to its native stablecoin USP losing its dollar peg.
The exploit consisted of three consecutive attacks, the post explained. The first and most severe drained a total of $8.5 million in stablecoins, including Circle’s USDC, Tether’s USDT, Maker’s DAI and Paxos’ Binance USD from the protocol’s main pool.
The protocol recovered some $2.4 million of stolen USDC stablecoins with the help of blockchain security firm BlockSec. Additionally, Tether froze $1.5 million of stolen USDT, according to the post.
The second attack mistakenly transferred some $380,000 of stablecoins to lending protocol Aave. Platypus has submitted a proposal to Aave’s governance forum for the release of these assets.
Some $287,000 worth of assets were stolen in the third attack. The protocol considered the funds unrecoverable and lost, as the exploiter ran the stolen assets through crypto mixer Tornado Cash and encryption service Aztec Network, per the post.
In the blog post, the protocol said it had not used its $1.4 million treasury to compensate victims of the hack, but might do so over the next six months if Platypus cannot recover more assets.
“This compensation plan ensures that a minimum of 63% of the funds will be distributed to users, regardless of any further update on fund recovery,” the Platypus post said.
If Tether agrees to remint the frozen USDT to Platypus and Aave approves the recovery proposal, then some 78% of user funds will be recovered.
Platypus said it aims to restart the stablecoin swap protocol next week, without its depegged stablecoin USP.
The Platypus exploit is the latest example of crypto’s rampant problem with hackers. Last year, hackers stole a total of $3.8 billion in crypto assets, primarily from DeFi platforms such as Platypus, according to a report by blockchain security firm Chainalysis.