Feb 18, 2023

$8M Platypus Attack Explained: Code Misorder Revealed

The recent $8 million Platypus flash loan attack was made possible due to a critical misconception in the MasterPlatypusV4 contract code, according to a post mortem report by Platypus auditor Omniscia. The auditing company claims that the code that allowed the attack to occur was not present in the version they saw.

The report states that the MasterPlatypusV4 contract contained a “fatal misconception in its emergencyWithdraw mechanism” which caused it to perform its solvency check before updating the LP tokens associated with the stake position. Omniscia explains that the issue could have been avoided by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0.

The audit was conducted from Nov. 21 to Dec. 5, 2021. However, the version audited did not contain an integration point with an external platypusTreasure system, and thus did not contain the misordered lines of code. This implies that the developers must have deployed a new version of the contract at some point after the audit was made.

The audit claims that the contract implementation at the Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. The lines of code in this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and then set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” and this new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit. The team has attempted to contact the hacker and get the funds returned in exchange for a bug bounty.

In light of the recent incident, the web3 space has been abuzz with conversations about NFTs, crypto, and NFT marketing. The attack on Platypus has highlighted the importance of security and the need for a reliable NFT promotion and marketing agency. Twitter NFT marketing is a great way to promote your NFTs and reach a larger audience. NFT marketing agencies can help you create an effective marketing strategy for your NFTs and ensure that your NFTs are successfully sold. A web3 agency can also provide you with valuable insights into the web3 space and help you navigate the complexities of selling NFTs.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.