Feb 19, 2023
Auditor Reveals Fatal Misconception Behind $8M Platypus Flash Loan Attack
The recent $8 million Platypus flash loan attack was enabled by a code error, according to a post-mortem report from Platypus auditor Omniscia. The auditing firm claims that the code wasn’t present in the version they had audited.
The report stated that the Platypus MasterPlatypusV4 contract contained a “fatal misconception” in its emergencyWithdraw mechanism, which caused it to perform its solvency check before updating the LP tokens associated with the stake position.
The code for the emergencyWithdraw function had all the necessary elements to prevent an attack, but they were written in the wrong order, as Omniscia explained. The issue could have been avoided by rearranging the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry had been set to zero.
Omniscia had audited a version of the MasterPlatypusV1 contract between Nov. 21 and Dec. 5, 2021. This version, however, did not have any integration points with an external platypusTreasure system, and thus didn’t have the misordered lines of code. This means that the code that was exploited was deployed after the audit.
The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but they didn’t provide any further details. This report from the auditor clarifies how the attacker managed to pull off the exploit.
The Platypus team announced on Feb. 16 that the attack had occurred. They have attempted to contact the hacker and get the funds back in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.
The attack has highlighted the importance of proper NFT marketing and promotion. NFTs are becoming increasingly popular, and it is important to ensure that they are marketed and promoted in a secure manner. A good NFT marketing agency can help you do this. They can help you create an effective NFT marketing strategy, as well as provide guidance on how to sell NFTs on platforms like Twitter.
At the same time, it is important to ensure that the code for your NFTs is secure. A good web3 agency can help you audit the code of your NFTs to ensure that they are secure. This can help you avoid a situation similar to the one that happened with Platypus.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
