Feb 19, 2023
Auditor Reveals Fatal Misconception Behind $8M Platypus Attack
On February 16, the team at Platypus announced that an $8 million flash loan attack had taken place. In response to the incident, Omniscia, the company that audited the MasterPlatypusV1 contract, has released a post-mortem report that explains the details of the exploit.
The report states that the attack was made possible due to a “fatal misconception” in the MasterPlatypusV4 contract’s emergencyWithdraw mechanism. This mechanism contained all of the necessary elements to prevent an attack, but the code was written in the wrong order. If it had been written correctly, it would have performed a solvency check before updating the LP tokens associated with the stake position.
It is important to note that the code that was exploited did not exist at the time of Omniscia’s audit. The audit was conducted from November 21 to December 5, 2021, and the version of the contract that was audited did not contain integration points with an external platypusTreasure system. This means that the developers must have deployed a new version of the contract at some point after the audit was made.
The audit report identified the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 as the one that was exploited. This contract calls a “isSolvent” function on the PlatypusTreasure contract and then sets the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on December 25, 2022.
The incident highlights the importance of code audits and NFT marketing. An audit of the code can help to identify potential flaws before they are exploited, while NFT marketing can help to raise awareness of the project and attract potential investors.
In the wake of the attack, the Platypus team has vowed to take additional steps to improve their security protocols. It is also important for other projects in the web3 space to take similar steps to ensure that their code is secure and their projects are safe from attack.
For those interested in selling NFTs, it is important to consider working with a web3 agency and a specialized NFT marketing agency. These companies can help to ensure that the code is secure and that the project is properly promoted. Twitter NFT marketing is also a great way to reach potential investors, as it is a platform that is popular among the crypto community.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
