Feb 19, 2023

$8M Platypus Attack Due to Misordered Code

The recent $8 million Platypus flash loan attack was made possible due to a coding error, according to a post mortem report from Platypus auditor Omniscia. The auditing firm claims that the problematic code wasn’t present in the version they reviewed.

The report highlighted that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism”, which allowed it to perform its solvency check before updating the LP tokens associated with the stake position.

The audit team pointed out that the code for the emergencyWithdraw function had all the necessary components to prevent an attack, but these elements were placed in the wrong order. Omniscia noted that “the issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place.”

The auditing firm stated that they had reviewed a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021, but this version “contained no integration points with an external platypusTreasure system” and thus lacked the misordered lines of code. This suggests that the developers must have deployed a new version of the contract after the audit was done.

The auditor then identified the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 as the one that was exploited. The report pointed out that lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts were set to zero after the “isSolvent” function had already been called.

The Platypus team confirmed on Feb. 16 that the attacker had exploited a “flaw in [the] USP solvency check mechanism”, but they did not initially provide further detail. The new report from the auditor sheds more light on how the attacker was able to pull off the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred and attempted to contact the hacker to get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

The incident has highlighted the importance of NFT marketing and promotion, and the need for crypto and web3 agencies to pay attention to NFT marketing. Twitter NFT marketing is one way to promote NFTs, but it is also important for companies to create an effective NFT marketing strategy to ensure the success of their NFTs. It is also important for companies to hire a reputable NFT marketing agency to help them create and execute a successful NFT marketing plan. Additionally, companies should ensure that they are selling NFTs in a secure and compliant manner to protect their customers and their own reputation.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.