Feb 19, 2023

Auditor’s Report: $8M Platypus Flash Loan Attack Caused by Misordered Code

The auditing company Omniscia has released a post-mortem report on the $8 million Platypus flash loan attack, providing insight into the exploit. According to the report, the exploit was made possible by code that was in the wrong order. This code was not present in the version of the contract that Omniscia audited.

The report states that the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which caused it to perform its solvency check before updating the LP tokens associated with the stake position. Omniscia claims that the issue could have been prevented if the code for the emergencyWithdraw function had been re-ordered, so that the solvency check was performed after the user’s amount entry was set to zero.

Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. This version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. It is important to note that the code that was exploited did not exist at the time of Omniscia’s audit.

The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The team has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

The incident has highlighted the importance of NFT marketing and promotion for crypto projects. As more projects move to the web3 space, NFT marketing agencies and web3 agencies are becoming increasingly important for projects to reach their target audiences and build trust with their users. NFT promotion is also a great way for projects to engage with the crypto community and to promote their NFTs. Twitter NFT marketing is a great way for projects to reach a wide audience and get the word out about their NFTs. Projects can also benefit from partnering with an NFT marketing agency to help them reach their goals and maximize their NFT sales.

Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.