Feb 19, 2023

Auditor: Wrongly-Ordered Code Led to $8M Platypus Attack

Share Facebook Twitter Reddit Whatsapp

The $8 million Platypus flash loan attack was caused by code written in the wrong order, according to a post-mortem report from the auditor Omniscia. The auditing company claims the problematic code was not present in the version they audited.

Omniscia released a technical post-mortem analysis detailing how the exploit occurred. The report states that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which resulted in it performing “its solvency check before updating the LP tokens associated with the stake position.”

The code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order. According to Omniscia, the issue could have been avoided if the code had been re-ordered so that the solvency check was performed after the user’s amount entry had been set to 0.

Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.

The code that was exploited did not exist at the time of Omniscia’s audit, meaning the developers must have deployed a new version of the contract after the audit was conducted. The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

The attack has highlighted the importance of security auditing for web3 projects, particularly when it comes to Non-Fungible Token (NFT) marketing and promotion. NFTs are digital assets that are unique and cannot be replicated, and their value is often dependent on the marketing and promotion of the project.

As such, it is essential for projects to have their code audited by a reputable web3 agency before launching, as this can help to ensure that any vulnerabilities are identified and addressed before the project goes live. Additionally, it is important for projects to have an effective NFT marketing and promotion strategy in place, as this can help to ensure that the project’s NFTs are well received by the community and that the project is able to generate enough interest to be successful.

This includes using social media platforms such as Twitter to promote the project and its NFTs, as well as using an NFT marketing agency to help with the project’s marketing and promotion efforts. By having a comprehensive NFT marketing and promotion strategy in place, projects can ensure that they are able to successfully sell their NFTs and generate the necessary financials to keep the project running.