Two people alleged to be behind an attack on the decentralized finance (DeFi) protocol Platypus have been arrested, according to a tweet by France's police department.
Of the $9 million in stolen assets, Platypus said it has recovered 2.4 million USDC and 687,000 BUSD; it has also worked with Tether to freeze 1.5 million USDT. French police seized approximately $220,000 worth of crypto as part of the arrest. USDC, USDT and BUSD are all stablecoins that are designed to reflect the price of fiat currencies like the U.S. dollar.
[#Cybercriminalité]La #PoliceNationale met fin à une escroquerie d'ampleur pour un préjudice de 9,5 millions💰sur une société américaine d’échange de cryptomonnaies.
Interpellation et convocation en justice de 2 individus
👉saisie de 210 000 € en cryptomonnaies#PoliceJudiciaire pic.twitter.com/rKKuG95cWh
— Police nationale (@PoliceNationale) February 24, 2023
USP, a Platypus USD-backed stablecoin, is currently trading at 32 cents, according to CoinGecko.
Platypus is a stablecoin-centric automated market maker (AMM) on the Avalanche blockchain. According to DeFiLlama, Platypus has $39.2 million in total value locked (TVL). The protocol’s TVL is down significantly from a March 2022 high of $1.2 billion.
In a tweet, the protocol’s team thanked Binance and ZachXBT for their assistance in tracing the identity of the attacker.
The type of attack used against Platypus involved a flash loan and is similar to the structure of attack used against Mango Markets late last year. Flash loans aren’t inherently a bad thing, they were initially developed as used as a tool for traders looking for arbitrage opportunities.
This particular attack used a logic error within USP’s smart contracts, which continually checks for solvency. As CoinDesk previously reported, the attacker used borrowed crypto from Aave to supply liquidity to a trading pool on Platypus. The smart contracts then issued a liquidity provider token, LP-USDC, and placed it into a staking contract on the protocol. They then borrowed USP stablecoins against their LP positions and withdrew everything to Aave to repay the flash loan.
On Feb. 24, Platypus announced it intends to replay a minimum of 63% of funds to users after it managed to recover a part of the $9 million drained from the protocol last week.
French police aren’t naming the suspects or announcing the charges.