Feb 19, 2023
$8M Platypus Attack Enabled by Misordered Code
The recent $8m Platypus flash loan attack has been revealed to be the result of a coding mistake, as per an audit report from Platypus auditor Omniscia. The auditing company claims that the flawed code was not present in the version they saw.
The report explains that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which caused it to perform “its solvency check before updating the LP tokens associated with the stake position.” The code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but they were in the wrong order. Had the code been rearranged, the attack would not have been possible.
Omnisia audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. This suggests that the developers must have deployed a new version of the contract at some point after the audit was made.
The audit report states that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds light on how the attacker was able to exploit the platform.
The Platypus team announced on Feb. 16 that the attack had occurred. They have attempted to contact the hacker and return the funds in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.
The incident has sparked a discussion about the security of the web3 space, and the need for more robust security measures. As NFTs, crypto, and web3 become more popular, the need for NFT marketing, NFT promotion, and Twitter NFT marketing grows. This has led to the emergence of NFT marketing agencies and Web3 agencies to help businesses promote their NFTs and sell NFTs. As the web3 space continues to evolve, the need for these agencies will only increase.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
