Feb 18, 2023

$8M Platypus Exploit Caused by Misordered Code

The $8m Platypus flash loan attack was made possible due to a coding error, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code wasn’t present in the version that they saw.

In response to the @Platypusdefi incident, the https://t.co/30PzcoIJnt team released a technical post-mortem analysis that outlines how the exploit unfolded. Follow @Omniscia_sec for more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn — Omniscia (@Omniscia_sec) February 17, 2023

According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which caused it to perform “its solvency check before updating the LP tokens associated with the stake position.”

The auditing company pointed out that the code for the emergencyWithdraw function had all the right elements to prevent an attack, but they were written in the wrong order. Omniscia explained:

“The issue could have been avoided by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and conducting the solvency check after the user’s amount entry has been set to 0 which would have blocked the attack from happening.”

Omnisia audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and thus didn’t contain the misordered lines of code. This suggests that the developers must have deployed a new version of the contract at some point after the audit was completed.

The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker was able to carry out the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker utilized flashed loans to carry out the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.

The Platypus incident has highlighted the need for better NFT marketing and promotion. NFTs have become increasingly popular in the web3 space and have been used to create unique digital assets such as artwork, collectibles, and even digital real estate. As such, it is important for NFT creators to have a comprehensive NFT marketing strategy in place.

One way to do this is to use a NFT marketing agency that specializes in NFT promotion. A NFT marketing agency can help creators develop an effective NFT marketing strategy and provide services such as Twitter NFT marketing, NFT promotion campaigns, and other services that can help NFT creators reach their target audience and increase the chances of their NFTs selling.

In addition to NFT marketing agencies, there are also web3 agencies that specialize in helping creators sell NFTs. These agencies can help creators create a website to showcase their NFTs and help them create a comprehensive NFT selling strategy. They can also help creators understand the NFT market and find the best platforms to list their NFTs on.

The Platypus incident has highlighted the importance of having a secure and reliable platform for selling NFTs. To ensure the security of their NFTs, creators should use a platform that is built on blockchain technology and is regularly audited by a reputable third-party auditor. This will help ensure that NFTs are safe from malicious actors and that creators can rest assured that their NFTs are secure.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.