Decentralized finance (DeFi) firm Platypus is working on a compensation plan for users’ losses after a flash loan attack drained nearly $8.5 million from the protocol, affecting its stablecoin dollar-peg. 

In a tweet on Feb. 18, Platypus said it was working on a plan to compensate the damages and asked users not to realize their losses in the protocol, saying this would make it harder for the company to manage the issue. Asset liquidations are also paused, said the protocol:

2/ We are working on a plan to compensate the losses, please DO NOT repay your USP and realize the losses. It would be easier for us to manage the damage. Also, you don’t have to worry about liquidation as liquidation is paused, stability fee after the attack will not be counted

— Platypus (++) (@Platypusdefi) February 18, 2023

According to the firm, different parties, including legal enforcement officials, are currently involved in the funds’ recovery process. Further details about the next steps will be disclosed soon, noted Platypus. 

Part of the funds are locked up in the Aave protocol. Platypus is exploring a method to potentially recover the funds, which would require the approval of a recovery proposal in Aave’s governance forum.

Blockchain security firm CertiK first reported the flash loan attack on the platform through a tweet on Feb.16, along with the alleged attacker’s contract address. Nearly $8.5 million was moved from the protocol, and as a result, the Platypus USD (USP) stablecoin depegged from the U.S. dollar, dropping to $0.33 at the time of writing.

“The attacker used a flashloan to exploit a logic error in the USP solvency check mechanism in the contract holding the collateral,” said the company. A potential suspect has been identified. 

A technical post-mortem analysis conducted by auditing company Omniscia revealed the attack was made possible by incorrectly placed code after it was audited. Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. The version, however, “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.

The flash loan attack exploits the smart contract security of a platform to borrow large amounts of money without collateral. Once a cryptocurrency asset has been manipulated on one exchange, it is quickly sold on another, allowing the exploiter to profit from the price manipulation.