French Police Arrest Duo Involved in Platypus Crypto Exploit

Flash loan exploit drained protocol of over $9 million in assets and knocked Platypus USD (USP) off its peg.

AccessTimeIconFeb 27, 2023 at 8:18 a.m. UTC
Updated May 9, 2023 at 4:08 a.m. UTC

Two people alleged to be behind an attack on the decentralized finance (DeFi) protocol Platypus have been arrested, according to a tweet by France's police department.

Of the $9 million in stolen assets, Platypus said it has recovered 2.4 million USDC and 687,000 BUSD; it has also worked with Tether to freeze 1.5 million USDT. French police seized approximately $220,000 worth of crypto as part of the arrest. USDC, USDT and BUSD are all stablecoins that are designed to reflect the price of fiat currencies like the U.S. dollar.

  • How NEAR Enables Multichain Access From One Account
    How NEAR Enables Multichain Access From One Account
  • How USD0 Plans to Bring More Transparency to the Existing Stablecoin Model
    How USD0 Plans to Bring More Transparency to the Existing Stablecoin Model
  • Total Supply of USD-Pegged Stablecoins Hit $128B: Glassnode
    Total Supply of USD-Pegged Stablecoins Hit $128B: Glassnode
  • The Future of Stablecoin-Powered Shopping
    The Future of Stablecoin-Powered Shopping
  • USP, a Platypus USD-backed stablecoin, is currently trading at 32 cents, according to CoinGecko.

    Platypus is a stablecoin-centric automated market maker (AMM) on the Avalanche blockchain. According to DeFiLlama, Platypus has $39.2 million in total value locked (TVL). The protocol’s TVL is down significantly from a March 2022 high of $1.2 billion.

    In a tweet, the protocol’s team thanked Binance and ZachXBT for their assistance in tracing the identity of the attacker.

    The type of attack used against Platypus involved a flash loan and is similar to the structure of attack used against Mango Markets late last year. Flash loans aren’t inherently a bad thing, they were initially developed as used as a tool for traders looking for arbitrage opportunities.

    This particular attack used a logic error within USP’s smart contracts, which continually checks for solvency. As CoinDesk previously reported, the attacker used borrowed crypto from Aave to supply liquidity to a trading pool on Platypus. The smart contracts then issued a liquidity provider token, LP-USDC, and placed it into a staking contract on the protocol. They then borrowed USP stablecoins against their LP positions and withdrew everything to Aave to repay the flash loan.

    On Feb. 24, Platypus announced it intends to replay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week.

    French police aren’t naming the suspects or announcing the charges.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.