Home » News » Authorities in France Arrest Duo Involved in Platypus Exploit

Authorities in France Arrest Duo Involved in Platypus Exploit

by Linh Nguyen

Flash loan exploit drained protocol of over $9 million in assets and knocked Platypus USD (USP) off its peg.

Two people alleged of being behind an attack on the decentralized finance (DeFi) protocol Platypus have been arrested, according to a tweet by France’s police department.

Of the $9 million in stolen assets, Platypus said it has recovered 2.4 million USDC and 687,000 BUSD, it has also worked with Tether to freeze 1.5 million USDT. French police seized approximately $220,000 worth of crypto as part of the arrest. USDC, USDT and BUSD are all stablecoins that are designed to reflect the price of fiat currencies like the U.S. dollar.

USP, a Platypus USD-backed stablecoin, is currently trading at $0.32 according to CoinGecko.

Platypus is a stablecoin-centric automated market maker (AMM) on the Avalanche blockchain. According to DeFiLlama, Platypus has $39.2 million in total value locked (TVL). The protocol’s TVL is down significantly from a March 2022 high of $1.2 billion.

In a tweet, the protocol’s team thanked Binance and ZachXBT for their assistance in tracing the identity of the attacker.

The type of attack used against Platypus involved a flash loan and is similar to the structure of attack used against Mango Markets late last year. Flash loans aren’t inherently a bad thing, they were initially developed as used as a tool for traders looking for arbitrage opportunities.

This particular attack used a logic error within USP’s smart contracts, which continually checks for solvency. As CoinDesk previously reported, the attacker used borrowed crypto from Aave to supply liquidity to a trading pool on Platypus. The smart contracts then issued a liquidity provider token, LP-USDC, and placed it into a staking contract on the protocol. They then borrowed USP stablecoins against their LP positions and withdrew everything to Aave to repay the flash loan.

On February 24, Platypus announced it intends to replay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week.

French police aren’t naming the suspects or announcing the charges.