Feb 18, 2023
$8M Platypus Attack Caused by Misordered Code
A post mortem report from Platypus auditor Omniscia has revealed that the $8m flash loan attack on Platypus was made possible by code that was in the wrong order. The auditing company claims that the problematic code didn’t exist in the version they saw.
The report states that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which caused it to perform its solvency check before updating the LP tokens associated with the stake position. Omniscia explained that the issue could have been prevented if the code had been written in the correct order, with the solvency check being performed after the user’s amount entry had been set to 0.
The audit from Nov. 21 to Dec. 5, 2021 didn’t contain any integration points with an external platypusTreasure system and therefore didn’t include the misordered lines of code. This could mean that the developers must have deployed a new version of the contract at some point after the audit was made.
The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” and the new report from the auditor has provided further details on how the attack was carried out. The team has attempted to contact the hacker and get the funds returned in exchange for a bug bounty.
The attack on Platypus is similar to the strategy used in the Defrost Finance exploit of Dec. 25, which also involved the use of flashed loans. In the wake of these incidents, web3 agencies and NFT marketing agencies have been warning of the risks associated with flash loans and advising clients to take steps to protect their digital assets.
Twitter NFT marketing has become increasingly popular as a way of promoting Non-Fungible Tokens (NFTs) and selling NFTs. However, agencies are now recommending that clients use a variety of marketing strategies to ensure that their assets are safe from potential attacks.
Web3 agencies have also been emphasizing the importance of having a comprehensive security audit carried out before launching any new products or services. This is especially important for projects that involve the use of cryptocurrencies or DeFi products, which can be vulnerable to malicious actors.
The Platypus incident serves as a reminder of the importance of security and the potential consequences of not taking the necessary precautions. It is essential for web3 and NFT marketing companies to ensure that their clients’ assets are protected and that the necessary security measures are in place.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
