The $8 million Platypus flash loan attack was made possible by code that was In the wrong order, according to a post-mortem report by Platypus Omniscia’s auditor. The auditing firm claims that the problematic code did not exist in the version it saw.
In light of recent @Platypusdefi the incident prepared a post-mortem technical analysis describing how the exploit unfolded in great detail.
Be sure to follow @Omniscia_sec to receive more security updates! pic.twitter.com/egHyoYaBhn
— Omniscia (@Omniscia_sec) February 17, 2023
According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergency withdrawal mechanism” that required it to perform “its credit check before updating the LP tokens associated with the stake position.”
The report pointed out that the code for the emergencyWithdraw function contained all the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:
“The issue could have been avoided by reordering the MasterPlatypusV4::emergencyWithdraw instructions and performing the credit check after the user amount input was set to 0, which would have disallowed the attack.”
Omnisia admitted to having audited a version of the MasterPlatypusV4 contract from November 21 to December 5, 2021. However, this version “did not contain any points of integration with an external platypusTreasure system” and therefore did not contain the misordered lines of code. From Omniscia’s perspective, this implies that the developers must have deployed a new version of the contract at some point after the audit was completed.
Related: Raydium announces hack details and offers compensation for victims
The auditor claims that the implementation of the contract at the C-Chain address of Avalanche (AVAX) 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that has been exploited. Lines 582-584 of this contract seem to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 seem to set the user’s Debt amount, factor, and reward to zero. However, these quantities are set to zero after the “isSolvent” function has already been called.
The Platypus Team confirmed on February 16, the attacker exploited a “flaw in (the) USP credit check mechanism”, but the team initially did not provide further details. This new auditor’s report sheds additional light on how the attacker was able to accomplish the exploit.
The Platypus team announced on February 16 that the attack had taken place. He attempted to contact the hacker and recover the funds in exchange for a bug bounty. The attacker used flashed loans to execute the exploit, which is similar to the strategy used in the December 25 Defrost Finance exploit.