In a landmark decision, a French court acquitted Mohammed and Benamar M. of criminal charges related to the February 2023 hack of Platypus Finance, an Automated Market Maker (AMM) protocol on the Avalanche AVAX + network. The hack, which exploited a flaw in Platypus Finance‘s smart contract, resulted in a loss of approximately $8.5 million in stablecoin collateral.
According to a report in Le Monde, the Platypus Finance protocol suffered the hack on February 16, 2023, due to a logic error in the USP-Platypus’ stablecoin solvency check mechanism. This vulnerability allowed the attacker to borrow against flash-loaned collateral and subsequently withdraw it without repaying the debt. Following the breach, Platypus Finance managed to recover about 90% of the stolen assets, totaling $2.2 million.
The defendants arrested a week after the hack with the assistance of crypto sleuth ZachXBT and Binance, faced serious charges. Mohammed, 22, was accused of multiple counts related to the attack, while his brother Benamar was charged with receiving stolen goods. Prosecutors had sought a five-year prison sentence for Mohammed.
However, the court acquitted the brothers, accepting Mohammed’s defense that he was an “ethical hacker” who intended to return the funds to the protocol, expecting a 10% bonus of the total sum. During the flash loan attack, Mohammed inadvertently locked away millions of dollars of the stolen funds, recovering only about $270,000. Platypus also counter-hacked to salvage $2.4 million in USDC.
The judges ruled that Mohammed’s access to a publicly available smart contract did not constitute unauthorized computer system access. They further determined that his exploitation of Platypus‘s “emergency withdrawal” smart contract, which contained the vulnerability, did not amount to fraud. Consequently, the tribunal dropped related money laundering and receiving stolen goods charges.
Despite the acquittal, the judges reminded the brothers that Platypus Finance could still pursue civil action against them. They emphasized that the dismissal of the criminal charges did not grant “a carte blanche” for such actions. This ruling sets a precedent in the legal treatment of smart coFrenntract vulnerabilities and their exploitation, especially in the decentralized finance (DeFi) sector.