BlocksInform
The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The verification company states that the problem code did not exist in the version it saw.
In light of the recent @Platypusdefi incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details.
Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn
— Omniscia (@Omniscia_sec) February 17, 2023
The report indicates, the Platypus MasterPlatypusV4 contract "contained a fatal error in its Withdraw emergency mechanism" that caused it to carry out "its credit check before updating the LP tokens associated with the participation position."
The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:
“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyThese elements were simply written in the wrong order, as Omniscia explains:"The problem could have been prevented by rearranging the MasterPlatypusV4::emergency.
Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. Between December 21 and 5, 2021. However, this version "did not contain any point of integration with a system of external ornithology" and therefore did not contain the lines of code improperly ordered. From the point of view of omniscia, this implies that developers must have deployed a new version of the contract at some point after the verification has been performed.
Related: Raydium announces details of hack, proposes compensation for victims
The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract seem to call a function called "issolvent" on the contract platypustreasure, and lines 599-601 seem to set the amount, factor and liability of the user to zero. However, these amounts are set to zero following the call of the "issolvent" function.
The Platypus team confirmed on Feb. 16 that the attacker exploited a "default in [the] usp creditworthiness control mechanism," but the team did not provide any additional details at the outset. This new auditor's report sheds more light on the attacker's performance.
The ornithorync crew announced February. 16 that the attack had occurred. He tried to contact the hacker and get the money back in exchange for a bug bonus. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.
