The $8 million attack on the Platypus flash loan was made possible by code that was misordered, according to a postmortem report from Platypus auditor Omniscia. The auditing company claims that the problematic code did not exist in the version they saw.
In light of the recent @Platypusdefi incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unraveled in great details.
Be sure to follow @Omniscia_sec to receive more security updates! https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn
— Omniscia (@Omniscia_sec) February 17, 2023
According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal error in its emergencyWithdraw mechanism” that caused it to perform “your credit check before updating the LP tokens associated with the staking position.”
The report noted that the code for the function emergencyWithdraw it had all the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:
“The problem could have been avoided by reordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user amount input had been set to 0, which would have prevented the attack from occurring.”
Omnisia admitted that it audited a version of the MasterPlatypusV4 contract from November 21 to December 5, 2021. However, this version “contained no integration points with an external system of platypusTreasure” and therefore did not contain the messy lines of code. From Omniscia’s point of view, this implies that the developers must have deployed a new version of the contract at some point after the audit was performed.
The auditor claims that the implementation of the contract at the Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” in the PlatypusTreasure contract, and lines 599-601 appear to zero out the user’s amount, factor, and rewardDebt. However, these amounts are reset to zero after the “isSolvent” function has been called.
The Platypus team confirmed on February 16 that the attacker blew up a “failure in [el] USP’s credit check mechanism”, but the team did not initially provide further details. This new auditor report sheds more light on how the attacker may have been able to pull off the exploit.
The Platypus team announced on February 16 that the attack had occurred. You have tried to contact the hacker and get the funds back in exchange for a bug bounty. The attacker used flash loans to perform the exploit, which is similar to the strategy used in the December 25 Defrost Finance exploit.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.