Feb 18, 2023

$8m Platypus Attack Traced to Misordered Code

The recent $8 million flash loan attack on Platypus was made possible due to a misorder of code, according to a post-mortem report from the Platypus auditor Omniscia. The auditing company claims that the problematic code was not present in the version they had seen.

The report states that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which caused it to perform its solvency check before updating the LP tokens associated with the stake position.

The code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but they were written in the wrong order, as Omniscia explained:

“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place.”

Omniscia audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. This version did not contain the misordered lines of code, as it “contained no integration points with an external platypusTreasure system.” This suggests that the developers must have deployed a new version of the contract at some point after the audit was made.

The auditor believes that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attack had occurred. They attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.

The attack on Platypus has put the spotlight on the importance of proper NFT marketing, promotion, and security. As the web3 space continues to grow, there is an increasing need for specialized web3 agencies and NFT marketing agencies to help promote and protect NFTs and other crypto assets.

These agencies can help create marketing campaigns and promotions to help increase the visibility of NFTs and other crypto assets. They can also provide specialized security services to help protect NFTs and other crypto assets from malicious actors. Additionally, they can provide guidance on how to best use Twitter for NFT marketing and promotion.

By working with a specialized web3 agency and NFT marketing agency, NFT creators and owners can ensure that their assets are properly protected and promoted. This will help to create a more secure and vibrant web3 space that is better equipped to handle the increasing demand for NFTs and other crypto assets.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.