Decentralized finance protocol Platypus recovered 2.4 million USDC from yesterday's 9 million exploit with the help of smart contract audit firm BlockSec, the team announced on Twitter.

According to MetaSleuth, a crypto funds visualization and analysis tool powered by BlockSec, the attacker could only cash out $270,000 of the almost $9.1 million in stolen funds from Platypus. The first attack, which resulted in a loss of approximately $8.5 million, have been frozen in the attacked contract, while the second attack, which resulted in additional $380,000, was mistakenly transferred to Aave, on-chain data show.

Daniel Von Fange @danielvf revealed how Playtpus hack stolen funds have been recovered:

In a dazzling reverse hack, a substantial chunk of the Playtpus hack stolen funds have been recovered.

Here's how it worked: (1/4)

The attacker forgot to code any way collect the funds after stealing them, so the funds were locked in the attack contract.

They also neglected Flash Loan 101 and allowed anyone to call the flash loan callback code. No check that they had started the flash loan. 2/4

This allowed @BlockSecTeam and the project to retrigger the hack, but with one major twist - the project contracts had been upgraded to steal back from the attacker during the hack. 3/4

The attack sequence involved taking flash loaned USDC, approving it, and depositing into the project.

But during the retrigger, the attack code used its own stolen USDC to approve and deposit instead.

The new project code simply took the attacker's USDC and ran with it. 4/5

This was some magnificent recovery work by @BlockSecTeam. Definitely people to have on your side when things go bad. 5/5