The $8 million Platypus flash loan attack was made possible by code that was in the wrong order, according to a postmortem report from Platypus auditor Omniscia. The auditing company claims that the problematic code did not exist in the version they saw.
In light of recent @platypus incident the https://t.co/30PzcoIJnt The team has prepared a post-mortem technical analysis that describes how the exploit was developed in great detail.
Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn
— Omniscia (@Omniscia_sec) February 17, 2023
According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergency withdrawal mechanism” that caused it to perform “its creditworthiness check before refreshing the LP tokens associated with the stake position.”
The report emphasized that the code for the emergency removal function had all the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:
“The issue could have been avoided by reordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the amount entered by the user has been set to 0, which would have prevented the attack from taking place.”
Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from November 21 to December 5, 2021. However, this version “contained no integration points with an external platypus system” and therefore did not contain the messy lines of code. . From Omniscia’s point of view, this implies that the developers must have implemented a new version of the contract at some point after the audit was performed.
Related: Raydium announces details of hack and proposes compensation for victims
The auditor affirms that the implementation of the contract in the C-Chain direction of Avalanche (AVAX) 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” in the PlatypusTreasure contract, and lines 599-601 appear to set the user’s reward amount, factor, and debt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.
the platypus team confirmed on February 16 that the attacker took advantage of a “glitch in [the] USP’s credit check mechanism,” but the team did not initially provide further details. This new auditor report sheds more light on how the attacker could have achieved the vulnerability.
The Platypus team announced on February 16 that the attack had occurred. You have tried to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the December 25 Defrost Finance exploit.
