The $8m Platypus lightning loan attack was made possible by code that was in the wrong order, according to a post mortem report from Platypus Omniscia auditors. The auditing firm claims the problem code was not in the version it reviewed.
In the light of the new @Platypusdefi incident team https://t.co/30PzcoIJnt has prepared a technical post-mortem analysis that describes the exploit in detail.
Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn
– Omniscia (@Omniscia_sec) February 17, 2023
According to the report, the Platypus MasterPlatypusV4 contract “contains a fatal misconception in the emergencyWithdraw mechanism” that makes “solvency checks before updating LP tokens associated with stock positions.”
The report confirms that the code for the emergencyWithdraw function has all the necessary elements to prevent an attack, but that these elements are simply written incorrectly, as Omniscia explains:
“The problem can be prevented by reordering the MasterPlatypusV4::emergencyWithdraw statement and performing a solvency check after the user count entry has been set to 0 which will prohibit the attack from occurring.”
Omnisia admits that they checked the contract version of MasterPlatypusV4 from November 21 to December 5, 2021. However, this version “does not have any integration point with the external platypusTreasure system” and therefore does not contain the wrong line of code. From Omniscia’s point of view, this implies that the developer must deploy a new version of the contract at some point after the audit is created.
related: Raydium disclosed the details of the hack, proposing compensation for the victims
The auditor stated that the implementation of the contract in Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” in the PlatypusTreasure contract, and lines 599-601 appear to set the number of users, factors, and rewardDebt to zero. However, the amount is set to zero after the “isSolvent” function has been called.
Team Platypus confirmed on February 16 that the attacker exploited “flaws in [the] USP’s solvency check mechanism,” but the team did not provide further details. The new report from the auditors provides more information on how the attackers were able to complete the exploit.
The Platypus team announced on February 16 that the attack had taken place. Have tried to contact the hacker and get a refund in exchange for a bug bounty. The attackers used flash loans to carry out the exploit, which is the same strategy used in the December 25th Defrost Finance exploit.