Platypus attack exploited incorrect ordering of code, auditor claims

Published at: Feb. 17, 2023

The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn’t exist in the version they saw.

In light of the recent @Platypusdefi incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details. Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn

— Omniscia (@Omniscia_sec) February 17, 2023

According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which made it perform “its solvency check before updating the LP tokens associated with the stake position.”

The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:

“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user’s amount entry has been set to 0 which would have prohibited the attack from taking place.”

Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. From Omniscia’s point of view, this implies that the developers must have deployed a new version of the contract at some point after the audit was made.

Related: Raydium announces details of hack, proposes compensation for victims

The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the user’s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.

Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct
In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto. Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.” The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter. Blockchain …
Defi / April 22, 2022
Wintermute inside job theory 'not convincing enough' —BlockSec
Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough." Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular. BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author …
Blockchain / Sept. 28, 2022
Projects would rather get hacked than pay bounties, Web3 developer claims
As hacks and exploits continue to go rampant within the crypto industry, the importance of finding vulnerabilities to prevent potential losses becomes of utmost importance. However, a Web3 developer highlighted that it’s not rewarding to do so. In a tweet, a Web3 developer claimed that he found a vulnerability in a Solana smart contract that would have affected several projects and around $30 million in funds. According to the dev, he reported and helped patch the vulnerabilities. However, when it was time to ask for a reward, the projects just started to ignore him. The developer noted that this sends …
Blockchain / Dec. 20, 2022
Yield platform Stablegains sued for promoting UST: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The backlash from the Terra implosion still haunts the crypto world, with the now-shuttered stablecoin yield platform Stablegains being sued for customer losses. The plaintiffs allege that the platform funnelled customer funds into Anchor Protocol without users’ knowledge or consent. Platypus, the DeFi protocol that was exploited for over $8 million, is working on a compensation plan to recover some of the funds. Florida’s Cogent Bank is proposing a $100 million participation in loans …
Regulation / Feb. 24, 2023