DEFI

Platypus hacker acquitted after stealing £8.5 million: Using flawed smart contract not considered fraud

share
Platypus hacker acquitted after stealing £8.5 million: Using flawed smart contract not considered fraud

French newspaper Le Monde reported that the automatic market maker (AMM) protocol Platypus Finance on Avalanche, which was attacked by a flash loan in February this year, resulting in approximately $8.5 million in losses. The two hackers were arrested shortly after the incident. Recently, French authorities have dropped criminal charges against them, stating that using flawed smart contracts does not constitute fraud.

Stablecoin exchange protocol Platypus attacked by flash loan, $8.5 million loss

Platypus Hacker Arrested, Claims to be "Ethical Hacker"

On February 16th this year, the stablecoin exchange protocol Platypus, based on Avalanche, fell victim to a flash loan attack, where a hacker exploited a code error in the Platypus USD $USP collateral contract and successfully stole around $8.5 million.

A few days later, with the help of blockchain sleuth ZachXBT and the fund tracking capabilities of the exchange Binance, French authorities successfully arrested the attacking brothers Mohammed and Benamar M. Mohammed was accused of receiving the stolen funds, while Benamar M. faced charges of illegal access to and operation of an automated data processing system, fraud, and money laundering, with prosecutors seeking a 5-year prison sentence for both.

However, during his October court testimony, Benamar M. admitted to the actions but claimed to be an "ethical hacker," stating the following:

I took this money to return it to the protocol later and to receive 10% of the total amount as a bug bounty.

It was reported that Benamar M. mistakenly locked up millions of dollars of stolen funds during the attack and only managed to steal $263,000 in the end. Meanwhile, Platypus was able to recover $2.4 million in $USDC through the security firm BlockSec.

Judge: Exploiting Flawed Smart Contracts Not Fraudulent

The French court's ruling on the case stated that since Benamar M. accessed a publicly available smart contract, the charge of "unauthorized access to a data processing system" did not apply.

Furthermore, the court deemed that his exploitation of the flawed Platypus "emergency withdrawal" contract did not constitute fraud, stating:

The smart contract's design had vulnerabilities, so the defendant's actions do not meet the legal definition of fraud; even though Benamar M. did exploit the loophole, it cannot be considered fraud under the law.

As a result, the court acquitted the two defendants, dismissed the charges related to fraud, money laundering, and receiving stolen funds.

However, despite the criminal charges being dropped, the judge mentioned that Platypus could still pursue civil action against the hackers in court.

Platypus Vulnerability Exploits Becoming Common?

It was reported that in October of this year, the protocol experienced another incident where the sAVAX-AVAX liquidity pool was exploited, resulting in a loss of around 2.2 million $AVAX.

Even though they managed to recover over 90% of the stolen assets, concerns about the protocol's security were raised by the community:

This is not the first security incident with your protocol, yet you seem to have taken no action on compensating the victims for their losses.