French Police Arrest Duo Involved in Platypus Crypto Exploit

Flash loan exploit drained protocol of over $9 million in assets and knocked Platypus USD (USP) off its peg.

AccessTimeIconFeb 27, 2023 at 8:18 a.m. UTC
Updated Feb 27, 2023 at 3:34 p.m. UTC
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.

Two people alleged to be behind an attack on the decentralized finance (DeFi) protocol Platypus have been arrested, according to a tweet by France's police department.

Of the $9 million in stolen assets, Platypus said it has recovered 2.4 million USDC and 687,000 BUSD; it has also worked with Tether to freeze 1.5 million USDT. French police seized approximately $220,000 worth of crypto as part of the arrest. USDC, USDT and BUSD are all stablecoins that are designed to reflect the price of fiat currencies like the U.S. dollar.

USP, a Platypus USD-backed stablecoin, is currently trading at 32 cents, according to CoinGecko.

Platypus is a stablecoin-centric automated market maker (AMM) on the Avalanche blockchain. According to DeFiLlama, Platypus has $39.2 million in total value locked (TVL). The protocol’s TVL is down significantly from a March 2022 high of $1.2 billion.

In a tweet, the protocol’s team thanked Binance and ZachXBT for their assistance in tracing the identity of the attacker.

The type of attack used against Platypus involved a flash loan and is similar to the structure of attack used against Mango Markets late last year. Flash loans aren’t inherently a bad thing, they were initially developed as used as a tool for traders looking for arbitrage opportunities.

This particular attack used a logic error within USP’s smart contracts, which continually checks for solvency. As CoinDesk previously reported, the attacker used borrowed crypto from Aave to supply liquidity to a trading pool on Platypus. The smart contracts then issued a liquidity provider token, LP-USDC, and placed it into a staking contract on the protocol. They then borrowed USP stablecoins against their LP positions and withdrew everything to Aave to repay the flash loan.

On Feb. 24, Platypus announced it intends to replay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week.

French police aren’t naming the suspects or announcing the charges.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.