Feb 19, 2023
Auditor: Wrongly Ordered Code Led to $8M Platypus Attack
Omniscia, the auditor of the Platypus protocol, has released a post-mortem report which reveals the cause of the devastating $8 million flash loan attack. The report claims that the code for the emergencyWithdraw function was written in the wrong order, thus allowing the attack to take place.
The report states that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which made it perform “its solvency check before updating the LP tokens associated with the stake position.” The code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order.
Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.
The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.
The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.
The incident has highlighted the importance of conducting thorough NFT audits and implementing secure code. NFTs are becoming increasingly popular, and they are also becoming more complex. As a result, it is essential that developers use best practices when creating and deploying contracts.
NFT marketing is also becoming more important, as it is a great way to promote and sell NFTs. Twitter NFT marketing is a great way to reach a wide audience and generate interest in NFTs. A web3 agency can help with NFT promotion and marketing, as well as provide guidance on how to create and deploy secure contracts.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
