French police arrest 2 people in connection to Platypus attack

Two suspects have been arrested by the French police in connection with Platypus’ $9.1 million exploit, and 210,000 euros worth of cryptocurrency has been seized, according to the local authorities. 

Investigations leading to the arrests were supported by on-chain sleuth ZachXBT and crypto exchange Binance, said Platypus. The decentralized protocol was compromised in three separate flash loan attacks carried out by the same exploiter on Feb. 16.

The attacks resulted in the theft of several stablecoins and other digital assets. The first attack resulted in the theft of approximately $8.5 million in assets. Approximately 380,000 assets were mistakenly sent to the Aave v3 contract in the second incident. As a result of the third attack, roughly $287,000 was stolen. The attack resulted in the depegged of the Platypus USD (USP) stablecoin from the U.S. dollar. 

Perpetrators used a flash loan to explore a logic error in the USP solvency check mechanism within the collateral-holding, Platypus recently confirmed. The stable swap operations have not been affected.

A flash attack is the same method used by Mango Market’s exploiter Avi Eisenberg, who claimed responsibility for manipulating the price of the MNGO coin in October 2022. After the exploit, Eisenberg said that “all of our actions were legal open market actions, using the protocol as designed.” Eisenberg was arrested on fraud charges on Dec. 28.

Platypus announced a plan to return funds to affected users on Feb. 23. According to the protocol, 63% of the main pool funds will be returned within six months. As per the plan, reminting frozen stablecoins could result in 78% of the funds being recovered. “If our proposal submitted to Aave is approved and Tether confirms reminting the frozen USDT, we will be able to recover approximately 78% of user’s funds,” noted the protocol.