{"id":553334,"date":"2023-02-18T01:35:47","date_gmt":"2023-02-17T22:35:47","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims\/"},"modified":"2023-02-18T01:35:47","modified_gmt":"2023-02-17T22:35:47","slug":"platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims\/","title":{"rendered":"# Platypus attack exploited incorrect ordering of code, auditor claims"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a262385c015f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a262385c015f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims\/#%E2%80%9D_Platypus_attack_exploited_incorrect_ordering_of_code_auditor_claims_%E2%80%9C\" >&#8221; Platypus attack exploited incorrect ordering of code, auditor claims &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_Platypus_attack_exploited_incorrect_ordering_of_code_auditor_claims_%E2%80%9C\"><\/span>&#8221; Platypus attack exploited incorrect ordering of code, auditor claims &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div class=\"post-content\" data-v-48054ca8>The $8m Platypus flash loan attack was made possible because of code that was <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@omniscia.io\/platypus-finance-inc\">in<\/a> the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn\u2019t exist in the version they saw.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\"> In light of the recent <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Platypusdefi?ref_src=twsrc%5Etfw\">@Platypusdefi<\/a> incident the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/30PzcoIJnt\">https:\/\/t.co\/30PzcoIJnt<\/a> team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details. <\/p>\n<p> Be sure to follow <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Omniscia_sec?ref_src=twsrc%5Etfw\">@Omniscia_sec<\/a> to receive more security updates!<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/cf784QtKPK\">https:\/\/t.co\/cf784QtKPK<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/egHyoYaBhn\">pic.twitter.com\/egHyoYaBhn<\/a><\/p>\n<p>\u2014 Omniscia (@Omniscia_sec) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Omniscia_sec\/status\/1626599363110703104?ref_src=twsrc%5Etfw\">February 17, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>According to the report, the Platypus MasterPlatypusV4 contract \u201ccontained a fatal misconception in its emergencyWithdraw mechanism\u201d which made it perform \u201cits solvency check before updating the LP tokens associated with the stake position.\u201d<\/p>\n<p>The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:<\/p>\n<blockquote><p>\u201cThe issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the user\u2019s amount entry has been set to 0 which would have prohibited the attack from taking place.\u201d<\/p><\/blockquote>\n<p>Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version \u201ccontained no integration points with an external platypusTreasure system\u201d and therefore did not contain the misordered lines of code. From Omniscia\u2019s point of view, this implies that the developers must have deployed a new version of the contract at some point after the audit was made.<\/p>\n<p><strong>Related: <\/strong><strong>Raydium announces details of hack, proposes compensation for victims<\/strong><\/p>\n<p>The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/snowtrace.io\/address\/0xc007f27b757a782c833c568f5851ae1dfe0e6ec7#code\">0xc007f27b757a782c833c568f5851ae1dfe0e6ec7<\/a> is the one that was exploited. Lines 582-584 of this contract <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ear to call a function called \u201cisSolvent\u201d on the PlatypusTreasure contract, and lines 599-601 appear to set the user\u2019s amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the \u201cisSolvent\u201d function has already been called.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2023-02\/d21ae40a-dbf9-40e4-bf52-ac540d9b75f3.png\"><\/figure>\n<p>The Platypus team <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/Platypusdefi\/status\/1626396538611310592\">confirmed<\/a> on Feb. 16 that the attacker exploited a \u201cflaw in [the] USP solvency check mechanism,\u201d but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.<\/p>\n<p>The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"markets_outlook\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; Platypus attack exploited incorrect ordering of code, auditor claims &#8220; The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn\u2019t exist in the version they saw. In light&#8230;<\/p>\n","protected":false},"author":1,"featured_media":553335,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2023-02\/e131c24e-1d1b-4cca-bd0c-be000895effe.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74868,74882,75434,70944,73808],"class_list":["post-553334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-defi","tag-hacks","tag-smart-contracts","tag-hackers","tag-loans"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/553334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=553334"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/553334\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/553335"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=553334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=553334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=553334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}