Feb 19, 2023

Auditor Reports Fatal Misconception Led to $8M Platypus Attack

Share Facebook Twitter Reddit Whatsapp

The $8 million Platypus flash loan attack was made possible due to a code error, according to a post-mortem report from the platform’s audit company, Omniscia. They claim that the code which was exploited did not exist in the version they audited.

Omniscia released a statement on Twitter, saying that they had prepared a technical post-mortem analysis outlining how the exploit occurred in great detail. They also encouraged people to follow their security updates.

The report states that the Platypus MasterPlatypusV4 contract had a fatal mistake in its emergencyWithdraw mechanism, which caused it to perform a solvency check before updating the LP tokens associated with the stake position.

The code for the emergencyWithdraw function had all the necessary elements to prevent an attack, but they were written in the wrong order. If the order had been reversed, the attack would not have been possible.

Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. This version, however, did not contain any integration points with an external platypusTreasure system and therefore did not have the misordered lines of code.

The code that was exploited did not exist at the time of the audit, implying that the developers must have deployed a new version of the contract after the audit was made.

The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attack was due to a “flaw in [the] USP solvency check mechanism,” but they did not provide further detail. The new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred. They have attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

The incident has raised awareness of the importance of security and code auditing in the web3 space. With the growing popularity of Non-Fungible Tokens (NFTs) and the increasing number of crypto projects, it is essential for projects to have their code audited before deploying it to the mainnet.

Various NFT-focused marketing and promotion agencies have emerged to help projects with their NFT marketing and promotion strategies. These agencies specialize in working with projects to create and execute effective NFT marketing campaigns on Twitter and other social media platforms.

It is also important for projects to have their contracts audited by a reputable security firm. This ensures that the code is secure and that the project is compliant with the relevant regulations.

The Platypus incident highlights the importance of code auditing and security in the web3 space. Projects must take steps to ensure their code is secure and that their contracts are compliant with the relevant regulations. It is also important for projects to work with a reputable NFT marketing agency to ensure their NFTs are properly promoted and marketed.