Feb 19, 2023

Auditor Finds Fatal Misconception in $8M Platypus Flash Loan Attack

The recent $8 million Platypus flash loan attack was made possible due to a programming error in the MasterPlatypusV4 contract, according to a post-mortem report from auditor Omniscia. The company claims the code in question was not present in the version they audited.

The report states that the contract’s emergencyWithdraw mechanism contained a “fatal misconception”, with the necessary elements to prevent an attack, but in the wrong order. The issue could have been avoided if the code was re-ordered, with the solvency check performed after the user’s amount entry was set to zero.

Omniscia had audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021, which did not have any integration points with an external platypusTreasure system and therefore did not contain the misordered lines of code.

The auditor believes that the code exploited was deployed at a later date, at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attack had occurred, and has since attempted to contact the hacker in the hopes of getting the funds returned in exchange for a bug bounty. The attack mirrored the Defrost Finance exploit on Dec. 25, 2022, which also used flashed loans.

The post-mortem report from Omniscia provides further detail on how the attack was executed, and serves as a reminder of the importance of proper code order and auditing in the web3 space. NFTs and other digital assets have become increasingly popular, and with the rise of crypto, web3 agencies and NFT marketing firms have started to offer services to help projects promote their NFTs and sell them.

Twitter NFT marketing is an especially popular form of promotion, and web3 agencies can help projects create effective campaigns to reach potential buyers and maximize their NFT sales. NFT marketing agencies can also help projects create effective strategies to promote their NFTs on social media platforms such as Twitter and Instagram, and can help them to create engaging content that will draw attention to their NFTs.

With the rise of crypto, NFTs, and web3, it is more important than ever to ensure that projects are properly audited and that the code is properly written in order to prevent any malicious actors from exploiting the system. The Platypus flash loan attack serves as a reminder of the importance of proper auditing and code order, and of the need to be vigilant when it comes to security.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.