A French court has acquitted the individuals responsible for the Platypus Finance hack in February 2023. The hack led to a loss of $8.5 million to the Avalanche stablecoin project.
According to the court, the hackers’ use of a flawed smart contract on the protocol did not constitute fraud.
Court Acquits Platypus Finance Hackers
The hackers behind the February 2023 hack of Platypus Finance, an Automated Market Maker (AMM) protocol on Avalanche, have been acquitted by a French court, which cleared them of criminal charges. According to a report by Le Monde, the perpetrators, identified as Mohammed and Benamar M, were arrested shortly after the hack. The arrest was possible thanks to the information provided by crypto investigators ZachXBT and Binance. Platypus Finance had announced the news of the arrest on X, stating,
“Update: @PoliceNationale have arrested and summoned 2 suspects who were reportedly exploiting our platform. Thanks to the assistance of @binance and @zachxbtin tracing their identities. Kudos to the prompt action by the authorities!”
Authorities charged 22-year-old Mohammed with several charges related to the attack, while his brother Benamar M was charged with receiving stolen goods. French prosecutors had sought a five-year prison sentence for Mohammed. The brothers had stolen nearly $8.5 million during the hack.
The Defence
However, the defendants were acquitted after Mohammed argued that he was an ethical hacker who acquired the funds from the protocol so that he could return them and receive a bonus of 10% of the total sum. During the attack, Mohammed mistakenly locked millions of dollars of the stolen funds and could recover only around $270,000. Meanwhile, Platypus Finance was able to salvage $2.4 million worth of USDC through a counter-hack.
The judges also found that Mohammed was accessing a publicly made smart contract. According to them, this meant that charges related to the unauthorized access of a computer system did not apply. Additionally, the court also found that Mohammed’s use of Platypus’s own “emergency withdrawal” smart contract did not constitute fraud.
Because the fraud charges were no longer applicable, the judges in the hearing also dropped charges related to money laundering and receiving stolen goods that the brothers were charged with. However, the judges warned the brothers that Platypus Finance could still pursue them in civil court. They added that while criminal charges could not hold up, the decision was not “a carte blanche.”
Platypus Had Recovered Some Funds
Platypus Finance was able to recover $2.4 million in USDC with the help of blockchain security firm BlockSec. The hacker, on the other hand, was able to cash out only $270,000, with $8.5 million frozen in the contract they were transferred to. Co-founder of BlockSec, Yajin Zhou, talked about how they were able to recover some of the stolen funds by taking advantage of a loophole in the attacker’s smart contract.
“By leveraging this loophole, the project can transfer the funds from the attacker contract to the project’s account. The project recovered $2 million using the proof of concept provided by us. This was to recover the funds in the attacker’s contract.”
BlockSec used a callback function in the hacker’s contract to get back some of the stolen funds.
“The attack was launched through the flash loan callback interface in the attack contract. This callback function has no access control. During this callback function, the attacker hardcoded the logic to approve USDC to the project’s contract. So, the project can first invoke the callback function in the attacker contract to approve USDC to the project’s contract. Then the project contract can withdraw the USDC from the attacker contract by upgrading the proxy to a new implementation.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
