- The court noted their use of a flawed smart contract did not amount to fraud
- Considering the similarity to a bug bounty attempt, the two men were cleared of all criminal charges.
In a surprising twist, the individuals behind the $8.5 million hack of Platypus Finance in February 2023 have been acquitted by a French court. The court’s ruling suggests that their use of a flawed smart contract doesn’t quite fit the bill for fraud, sparking conversations about the legal implications of exploiting vulnerabilities in public blockchain systems.
The accused, identified as brothers Mohammed and Benamar M., were nabbed just a week after the hack owing to intel from crypto detective ZachXBT and collaboration with Binance. Prosecutors hit 22-year-old Mohammed with multiple charges related to the attack, seeking a hefty five-year prison term. His brother faced accusations of handling stolen goods.
Following this, Mohammed’s defense took an unexpected turn, claiming he was an “ethical hacker.” According to his story, he pulled off the hack intending to return the funds to Platypus later, with dreams of scoring a 10% bonus for his efforts.
During the February 16 flash loan attack, Mohammed fumbled, locking away a chunk of the loot and managing to recover only about $270,000. Platypus fired back with a counter-hack, clawing back $2.4 million in USDC. The judges acknowledged the intricacies, noting that Mohammed accessed a publicly available smart contract, leading them to toss out charges related to unauthorized access.
Moreover, they ruled that Mohammed’s manipulation of Platypus’s vulnerable “emergency withdrawal” smart contract didn’t quite meet the criteria for fraud. This decision adds a layer of complexity to addressing vulnerabilities in blockchain systems, especially when the exploited code is out there for everyone to see.
Despite the not-guilty verdict on criminal charges, the court reminded the brothers that Platypus could still take them to civil court. While fraud charges were dropped, the judges made it clear that their decision wasn’t a blank check, leaving room for potential civil consequences.
The brothers’ claim of being “ethical hackers” drew comparisons to bug bounty programs, ultimately contributing to their dismissal. In an ironic turn, Platypus Finance faced another setback in October, losing $2.2 million in another flash loan exploit. CertiK’s investigation uncovered a series of attacks draining various cryptocurrencies, but Platypus managed to strike a deal with the hacker, recovering 90% of the stolen funds