French newspaper Le Monde reported that Platypus Finance, the automated market maker (AMM) protocol on Avalanche, was attacked by flash loans in February this year, causing a loss of approximately US$8.5 million. Two hackers were arrested a few days later. Recently, French authorities have dropped criminal charges against him, stating that the use of flawed smart contracts does not constitute fraud.
(Stablecoin exchange protocol Platypus was attacked by flash loans, losing $8.5 million)
Platypus hacker arrested, calls himself "ethical hacker"
On February 16 this year, Platypus, a stablecoin exchange protocol based on Avalanche, was attacked by a flash loan. Hackers successfully stole approximately US$8.5 million through a code error in the collateral contract of its stablecoin Platypus USD ($USP). .
#CertiKSkynetAlert
We are seeing a#flashloanattack on @Platypusdefi resulting in a potential loss of ~$8.5M.
Tx AVAX: 0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430
Stay Frosty! pic.twitter.com/AM2HOM5M2r
— CertiK Alert (@CertiKAlert) February 16, 2023
A few days later, thanks to the fund tracking capabilities of on-chain detective ZachXBT and the exchange Binance, the French authorities successfully arrested the two attacker brothers, Mohammed and Benamar M.. The former was accused of receiving stolen money, while the latter was charged with illegal entry and withdrawal of automated data processing systems, fraud and money laundering. Prosecutors sought a five-year prison sentence for both men.
However, according to Benamar M.'s statement in court in October, he admitted the facts of the behavior, but argued that he was an "ethical hacker" and said that the behavior was done in good faith:
I siphoned off the funds with the intention of returning them to the protocol later and receiving 10% of the total amount as a bug bounty.
It is reported that Benamar M. mistakenly locked millions of dollars in stolen funds during the attack, but only $263,000 was actually stolen. On the other hand, Platypus also successfully recovered $2.4 million in $USDC through the security company BlockSec.
Judge: Using defective smart contracts does not constitute fraud
The French court's judgment on the case pointed out that since Benamar M. accessed a publicly available smart contract, the charge of "unauthorized entry into the data processing system" did not apply.
In addition, the court also held that his successful use of the Platypus "emergency withdrawal" contract with code errors did not in itself constitute fraud:
There is a loophole in the design of the smart contract, so the defendant's behavior does not meet the legal definition of fraud; even if Benamar M.'s behavior did take advantage of the loophole, it cannot be legally considered fraud.
Here, the court found the two defendants not guilty, and since the fraud charges were not established, the court also dropped the charges related to money laundering and accepting stolen money.
However, although the above-mentioned criminal charges were dismissed, the judge also said that Platypus can still sue the two hackers in civil court.
Platypus contract vulnerability exploitation incidents are frequent?
It is understood that the protocol also experienced a vulnerability exploit in the sAVAX-AVAX liquidity pool in October this year, resulting in the loss of approximately 2.2 million $AVAX.
Even though more than 90% of the stolen assets were eventually recovered, the community also expressed concerns about the security of its protocol:
This is not the first time a security incident has occurred under your agreement, yet you appear to have taken no action on how to compensate victims for their losses.
This article Platypus hacker was acquitted of stealing 8.5 million magnesium: using defective smart contracts does not constitute fraud first appeared on Chain News ABMedia.
