In February, the Platypus decentralized finance protocol on Avalanche fell victim to a hack worth almost $10 million. The suspects, 2 brothers, were acquitted by the French justice system, which believes that the flaw came from Platypus’ smart contracts. We take a look at the situation with a specialist lawyer.
Platypus: a hack worth almost 10 million dollars
In February of this year, the decentralized finance (DeFi) protocol Platypus, hosted on Avalanche (AVAX), suffered a $9.5 million hack. Thanks to the joint efforts of Binance, the French national police and on-chain investigator ZachXBT, 2 suspects were quickly arrested.
The 2 brothers, Mohammed and Benamar M., were respectively indicted for accessing and maintaining an automated data processing system, fraud, money laundering and handling stolen goods. On October 26, Mohammed M., the main suspect aged 22, had admitted the facts but had also claimed that he had acted as a “white hat” hacker and that he intended to return the funds before receiving a reward from Platypus.
An impossible claim to verify, given that when the attack was carried out, the hacker was only able to withdraw $270,000, since $8.9 million had been mistakenly frozen in an Avalanche smart contract and another portion in the Aave protocol.
@Platypusdefi was exploited resulting in a total loss of ~$9.05M. Although the project suffered significant losses from the three attacks, the attacker was only able to control a total of ~$270K from the third attack. The exploiter’s initial fund came from @FixedFloat
After… https://t.co/ckq4XWPexg
– MetaSleuth (@MetaSleuth) February 17, 2023
However, the public prosecutor’s office requested a 5-year prison sentence, 3 years suspended, with a committal order. At the time, the prosecutor stated that this case, the first relating to a crypto hack in France, should be treated with the same seriousness as a classic financial crime, adding that “the flaw we can have is to think that virtual money takes away the seriousness”.
French justice incompatible with cryptocurrencies
But according to the court, Platypus is indeed to blame for the hack, since the flaw came from its own smart contracts. According to the president of the 13th correctional chamber specializing in cybercrime, “using an element provided for in the contract […] may possibly constitute contractual performance in bad faith,” but not “a maneuver within the meaning of the penal code”. The principal’s younger brother, aged 20, was also acquitted on charges of handling stolen goods.
Their lawyers, Mes Seydi Ba and Théodore Jean-Baptiste, welcomed the absence of a sentence:
“We welcome the proper application of the law and the distinction made between morality and criminal law. “
On the contrary, Marie Robin, the lawyer for the Platypus protocol, reacted sharply to the court ruling, calling it “a veritable blank check to fraudulent exploits and maneuvers on the blockchain”:
“[This is] a retrograde approach to tech by the French courts. […] Companies will have no interest in setting up in a country where they will potentially be confronted with aberrant court rulings that condone theft of funds on blockchain. “
However, the judges reminded the 2 brothers that Platypus still had the option of suing them civilly, and that even though the charges against them had not been lifted, this did not constitute “carte blanche” to do it again.
Clarification by law firm ORWL
To better understand the ins and outs of this case, we interviewed Romain Chilly, a lawyer at ORWL, a firm specializing in cryptocurrencies and Web3.
First of all, he reminds us that the judgment is not final, and that it is indeed necessary to explore the verdict rendered:
“I still have reservations about the way in which the judges have ruled out criminal offences, but several elements lead me to believe that the verdict that has been handed down is not as baroque as it may seem on first reading of the case file: firstly, the judgment is not yet final, the public prosecutor has 10 days to appeal from the time the judgment is handed down. “
Later, Romain Chilly explains that, since the defendants made use of the protocol as designed, it’s understandable that the courts don’t necessarily qualify the act as a criminal offence:
“Secondly, Romain Chilly explains that, since the defendants made use of the protocol as designed, it’s understandable that the courts don’t necessarily qualify the act as a criminal offence.
” Secondly, for the sake of ease of language, the term “hack” is used to refer to situations that are highly heterogeneous, both in terms of the technical manner in which they were committed, and the intention and level of preparation of the perpetrators, and therefore the legal qualification that can be made of them. I understand from the Platypus case that the defendants activated an emergency withdrawal clause, which was technically possible under the protocol. If this activation was clearly not legitimate and appears to have been made in bad faith, the debate as to whether this constitutes a criminal offence or contractual performance in bad faith does not seem illegitimate to me. “
Finally, the lawyer points out that such a decision is hardly surprising insofar as the regulations governing decentralized finance in France still require a little clarity:
“To sum up, it seems to me that this decision is in line with the emerging jurisprudence of the criminal courts in matters of cybercrime in DeFi, as the courts do not wish to penalize litigious situations resulting from bugs or features resulting from incorrectly parameterized smart contracts. It leaves it to the civil courts to resolve such situations.”
