The $8 million Platypus Flash mortgage assault was made doable by this code In the flawed order, in response to a autopsy report by Platypus auditor Omniscia. The accounting agency claims that the problematic code didn't exist within the model they noticed.
— Omniscia (@Omniscia_sec) February 17, 2023
In line with the report, the Platypus MasterPlatypusV4 contract contained "a deadly misunderstanding in its EmergencyWithdraw mechanism" that prompted it to "carry out its solvency examine earlier than updating the LP tokens related to the stake place."
The report emphasised that the code for the EmergencyWithdraw perform had all the required components to stop an assault, however these components have been merely written out of order, as Omniscia defined:
"The difficulty might have been prevented by reordering the MasterPlatypusV4::emergencyWithdraw statements and operating the solvency examine after setting the consumer's quantity enter to 0, which might have prevented the assault."
Omnisia admitted that they have been reviewing a model of the MasterPlatypusV4 contract from November twenty first to December fifth, 2021. Nonetheless, this model contained "no integration factors with an exterior PlatypusTreasure system" and subsequently didn't include the misplaced strains of code. From Omniscia's perspective, which means the builders should have deployed a brand new model of the contract in some unspecified time in the future after the audit.
Associated: Raydium offers particulars of the hack and proposes compensation for victims
The auditor claims that the execution of the contract lies with Avalanche (AVAX) C-Chain deal with 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one who was taken benefit of. Strains 582-584 of this contract seem to name a perform known as isSolvent on the PlatypusTreasure contract, and contours 599-601 seem to set the consumer's quantity, issue, and reward debt to zero. Nonetheless, these quantities are set to zero after the isSolvent perform has already been known as.
The Platypus crew confirmed on February 16 that the attacker discovered a "bug in [the] USP Solvency Examine Mechanism," however the crew initially didn't present any additional data. This new auditor's report sheds additional gentle on how the attacker might need been capable of carry out the exploit.
The Platypus crew introduced on February 16 that the assault had taken place. It tried to contact the hacker and get the funds again in alternate for a bug bounty. The attacker used flash loans to carry out the exploit, which is analogous to the technique used within the December 25 Defrost Finance exploit.