Platypus attack exploited incorrect ordering of code, auditor claims

Platypus attack exploited incorrect ordering of code, auditor claims

Disclaimer: The article has been updated to reflect that Omniscia did not audit a version of the MasterPlatypusV4 contract. Instead, the company audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021.

The $8 million Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post-mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn’t exist in the version they audited.

According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which made it perform “its solvency check before updating the LP tokens associated with the stake position.”

The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:

“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place.”

Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.

It is important to note that the code that was exploited did not exist at the time of Omniscia’s audit. Omniscia’s point of view implies that the developers must have deployed a new version of the contract at some point after the audit was made.

Relacionado: Raydium announces details of hack, proposes compensation for victims

The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the user’s amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

Coloque ahora sus Enics en su cartera BNB a una cotización de lanzamiento, y benefíciese de su fulgurante crecimiento en los próximos meses

Participa ahora en la Oferta Inicial de Monedas de Enic
y disfrutar de grandes ganancias
en las próximas semanas

¿ESTÁ OPERANDO EN SU TELÉFONO MÓVIL O TABLETA?

Copie la siguiente dirección o escanéela en su cartera de criptomonedas, y envíe a esta dirección la cantidad de BNB que desea convertir en ENIC

0x5c887F4518a95CdAfFe4E4B3AFDA00C2BB2BcD69

O escanee el siguiente código QR inmediatamente con su aplicación de cartera de criptomonedas

Los BNB que envíes se convertirán instantáneamente en ENICs y llegarán a tu monedero en pocos segundos

¿ESTÁ OPERANDO EN SU ESCRITORIO?

(Se sugiere utilizar el navegador Chrome con la extensión Metamask o Trustwallet)

Copie la siguiente dirección o escanéela en la extensión de su monedero de criptomonedas, y envíe a esta dirección la cantidad de BNB que desea convertir en ENIC

0x5c887F4518a95CdAfFe4E4B3AFDA00C2BB2BcD69

Los BNB que envíes se convertirán instantáneamente en ENICs y llegarán a tu monedero en pocos segundos

O

nuestra comunidad

Titulares de
en todo el mundo

Únete ahora mismo a nuestra creciente comunidad en nuestro canal de Telegram, y benefíciate del irresistible crecimiento de Enic en los próximos meses

0
La gente se unió
0 +
SUSCRIPTORES DE ICO
0
Energía
proveedores
es_ESEspañol