Platypus attack exploited incorrect ordering of code, auditor claims

The $8m Platypus flash indebtedness onslaught was made imaginable due to the fact that of codification that was in the incorrect order, according to a station mortem study from Platypus auditor Omniscia. The auditing institution claims the problematic codification didn’t beryllium successful the mentation they saw.

— Omniscia (@Omniscia_sec) February 17, 2023

According to the report, the Platypus MasterPlatypusV4 declaration “contained a fatal misconception successful its emergencyWithdraw mechanism” which made it execute “its solvency cheque earlier updating the LP tokens associated with the involvement position.”

The study emphasized that the codification for the emergencyWithdraw relation had each of the indispensable elements to forestall an attack, but these elements were simply written successful the incorrect order, arsenic Omniscia explained:

“The contented could person been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency cheque aft the user’s magnitude introduction has been acceptable to 0 which would person prohibited the onslaught from taking place.”

Omnisia admitted that they audited a mentation of the MasterPlatypusV4 declaration from Nov. 21 to Dec. 5, 2021. However, this mentation “contained nary integration points with an outer platypusTreasure system” and truthful did not incorporate the misordered lines of code. From Omniscia’s constituent of view, this implies that the developers indispensable person deployed a caller mentation of the declaration astatine immoderate constituent aft the audit was made.

Related: Raydium announces details of hack, proposes compensation for victims

The auditor claims that the declaration implementation astatine Avalanche (AVAX) C-Chain code 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the 1 that was exploited. Lines 582-584 of this declaration look to telephone a relation called “isSolvent” connected the PlatypusTreasure contract, and lines 599-601 look to acceptable the user’s amount, factor, and rewardDebt to zero. However, these amounts are acceptable to zero aft the “isSolvent” relation has already been called.

The Platypus squad confirmed connected Feb. 16 that the attacker exploited a “flaw successful [the] USP solvency cheque mechanism,” but the squad did not initially supply further detail. This caller study from the auditor sheds further airy connected however the attacker whitethorn person been capable to execute the exploit.

The Platypus squad announced connected Feb. 16 that the attack had occurred. It has attempted to interaction the hacker and get the funds returned successful speech for a bug bounty. The attacker utilized flashed loans to execute the exploit, which is akin to the strategy utilized successful the Defrost Finance exploit of Dec. 25.