Feb 19, 2023

Auditor Reveals Flaw in Platypus Flash Loan Attack

The recent $8 million Platypus flash loan attack caused a stir in the crypto community, and now, the post-mortem report from Platypus auditor Omniscia sheds light on the issue. According to the report, the attack was made possible due to code written in the wrong order.

The report stated that the MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which caused it to perform a solvency check before updating the LP tokens associated with the stake position. The code for the emergencyWithdraw function had all the necessary elements to prevent an attack, but they were written in the wrong order.

Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021, but this version “contained no integration points with an external platypusTreasure system” and thus did not contain the misordered lines of code. This means that the code that was exploited did not exist at the time of the audit.

The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” and the new report from the auditor provides more insight into how the attack was executed. The attacker used flashed loans to perform the exploit, similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

The team has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. In the wake of the attack, the Platypus team is exploring ways to increase the security of their platform, such as using NFTs for promotion and marketing. NFTs are digital assets that are unique and can be used to represent ownership of digital items, such as art, music, or even in-game items.

The team is also looking into working with a web3 agency to help them with NFT marketing. This type of marketing is a great way for the team to spread awareness of their platform and attract more users. Additionally, the team is exploring ways to increase the security of their platform, such as selling NFTs and using an NFT marketing agency to help them promote their platform.

The recent attack on Platypus has highlighted the importance of security in the web3 space. It is essential for developers to take the necessary steps to ensure their code is secure and audit their contracts regularly. By doing so, they can help protect their users and their funds.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.