Feb 18, 2023
$8M Platypus Flash Loan Attack Enabled by Misordered Code
A recent audit report from Omniscia reveals that the $8m Platypus flash loan attack was enabled by code that was in the wrong order. The auditing company claims that the problematic code was not present in the version they reviewed.
The report states that a fatal misconception in the emergencyWithdraw mechanism of the Platypus MasterPlatypusV4 contract allowed for the exploit to take place. The code for the emergencyWithdraw function had all the necessary elements to prevent an attack, but these elements were written in the wrong order.
The audit was conducted from Nov. 21 to Dec. 5, 2021, but Omniscia claims that the version they saw did not have any integration points with an external platypusTreasure system, and thus did not contain the misordered lines of code. This implies that the developers must have deployed a new version of the contract after the audit was made.
The contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited, according to the report. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team announced on Feb. 16 that the attack had occurred and has since tried to contact the hacker in hopes of recovering the funds in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.
The incident has sparked a discussion in the web3 space about NFT promotion and marketing, as well as the need for crypto companies to have a web3 agency to help them navigate the complexities of selling NFTs. Twitter NFT marketing has become increasingly popular, and NFT marketing agencies are popping up to help creators and businesses promote their NFTs. It is important for companies to be aware of the security risks associated with NFTs and to make sure they have the right measures in place to protect their assets.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
