French court does not recognize Platypus protocol exploit as fraudulent

What’s new? A French court has completely acquitted two hackers who in February withdrew $8,5 million from the DeFi protocol Platypus. The authorities noted that the article on unauthorized access to a computer system could not be applied because the project’s smart contract was publicly available. They also did not recognize as fraudulent the hackers’ use of the withdrawal function, which contained a vulnerability.

The Block’s material

What else is known? The hackers conducted a flash loan attack on February 16. They invested $44 million in the Platypus USDC (LP-USDC) asset, receiving 44 million LP-USD, and then transferred LP-USD to a MasterPlatypusV4 contract. They then activated the borrowing feature to issue about 41,79 million USP in the PlatypusTreasure contract. This is the maximum amount allowed by the borrowing limit, which was set at 95% of the user’s collateral.

Since the attackers did not borrow more than 95% of the limit, the isSolvent value returned as true, which allowed them to call the emergencyWithdraw function and retrieve the full amount of 44 million LP-USDC. They then withdrew 44 million from Platypus USDC and exchanged USP for various assets through the Platypus financial pool.

The hackers, brothers Mohammed and Benamar, were arrested in France a week after the attack thanks to information from crypto exchange Binance and analyst ZachXBT, with 210 000 EUR in cryptocurrencies seized from them. Mohammed was charged with carrying out the attack, while Benamar was charged with receiving the stolen funds.

They claimed that they acted as white hackers and intended to later return 90% of the funds to the project, keeping 10% for themselves as a reward. However, during the flash loan attack, Mohammed mistakenly blocked millions of dollars and was only able to recover about $270 000. Platypus was also able to save $2,4 million in USDC through measures to prevent the attack.

Because the court ruled that fraud charges could not be filed, it also dismissed charges of receiving stolen goods and money laundering. However, authorities reminded the hackers that the Platypus team retains the right to pursue civil litigation.