Feb 18, 2023
$8M Platypus Attack Due to Misordered Code
The $8m Platypus flash loan attack was made possible due to a code error, according to a post mortem report from Platypus auditor Omniscia. The auditing firm claimed the problematic code was not present in the version they had seen.
The report stated that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which caused it to conduct “its solvency check before updating the LP tokens associated with the stake position.”
The code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but the order in which they were written was incorrect, as Omniscia explained:
“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place.”
Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. This version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. This implies that the developers must have deployed a new version of the contract at some point after the audit was made.
The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds more light on how the attack was made possible.
The Platypus team announced on Feb. 16 that the attack had occurred and has since attempted to contact the hacker in order to get the funds returned in exchange for a bug bounty. This strategy was similar to the one used in the Defrost Finance exploit of Dec. 25, which also used flashed loans.
The incident is a reminder of the importance of proper code implementation and auditing when dealing with Non-Fungible Tokens (NFTs) and other crypto assets. To ensure that NFTs are properly marketed and promoted, businesses should consider working with a web3 agency and/or a dedicated NFT marketing agency to ensure that their NFTs are properly advertised on social media platforms, such as Twitter, and that their marketing campaigns are successful. Additionally, businesses should ensure that their NFTs are properly audited to avoid any similar incidents in the future.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
