Feb 19, 2023
Auditor’s Report Reveals Platypus Flash Loan Attack Cause
The recent $8 million Platypus flash loan attack has been the talk of the town in the web3 space, and now, the auditing company Omniscia has released a post-mortem report that reveals why the attack was successful. According to the report, the code in the MasterPlatypusV4 contract was in the wrong order, making it possible for the attack to happen.
The report explains that the code in the emergencyWithdraw function had all the necessary elements to prevent an attack, but they were written in the wrong order. If the code had been re-ordered, the attack could have been prevented.
Omniscia was hired to audit a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. However, this version did not contain the misordered lines of code, which implies that the developers must have deployed a new version of the contract at some point after the audit was made.
The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.
The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.
The incident has highlighted the importance of proper NFT promotion and marketing, as well as the need for NFT marketing agencies and web3 agencies to provide comprehensive security audits. It is also a reminder of the need for developers to be vigilant when coding and deploying smart contracts, as even the smallest mistake can have devastating consequences.
Disclaimer: All investment or financial opinions expressed by MoonLanding Media are not recommendations and are intended for entertainment purposes only. Do your own research prior to making any kind of investment. This article has been generated based on trending topics, has not been fact checked and may contain incorrect information. Please verify all information before relying on it.
