Feb 18, 2023

$8M Platypus Attack Due to Misordered Code

The recent $8m Platypus flash loan attack has been the talk of the web3 space, and now, Omniscia, the auditor of the project, has released a post-mortem report which reveals the details of the exploit. According to the report, the attack was made possible due to code that was written in the wrong order in the Platypus MasterPlatypusV4 contract.

The audit report from Omniscia stated that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were written in the wrong order. The report emphasized that the issue could have been avoided if the code was written in the correct order and the solvency check was performed after the user’s amount entry was set to zero.

Omniscia conducted an audit of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021, but the version they looked at did not contain the misordered lines of code. This implies that the developers must have deployed a new version of the contract at some point after the audit was made.

The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred and has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.

The incident has raised questions about the security of the web3 space and the need for more robust security measures. In particular, the use of Non-Fungible Tokens (NFTs) and their associated marketing has been highlighted as an area that needs more attention. NFTs are digital assets that are unique, and they are increasingly being used to promote products and services in the web3 space.

To address this issue, many web3 agencies and NFT marketing agencies have emerged to help projects launch and promote their NFTs. These agencies provide services such as NFT promotion, Twitter NFT marketing, and NFT marketing campaigns. They also offer advice on how to sell NFTs and how to best use them to promote projects.

The Platypus incident has highlighted the need for projects to use a reputable web3 agency and NFT marketing agency to ensure their project is secure and their NFTs are effectively marketed. It is also important for projects to thoroughly audit their code and make sure their contracts are secure before launching.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.