Global blockchain supervision and query platform


Platypus attack exploited incorrect ordering of code, auditor claims

 Platypus attack exploited incorrect ordering of code, auditor claims WikiBit 2023-02-17 22:35

The Platypus team has attempted to contact the attacker and offered a bug bounty in exchange for the return of funds

The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didnt exist in the version they saw.

根据 platypus 审计师 omniscia 的事后报告,价值 800 万美元的 platypus 闪电贷攻击之所以成为可能,是因为代码顺序错误。审计公司声称他们看到的版本中不存在有问题的代码。

In light of the recent @Platypusdefi incident the team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details.

鉴于最近的@platypusdefi 事件, 团队准备了一份技术性事后分析,详细描述了该漏洞利用的具体过程。

Be sure to follow @Omniscia_sec to receive more security updates!

请务必关注@omniscia_sec 以获得更多安全更新!

— Omniscia (@Omniscia_sec) February 17, 2023

- omniscia (@omniscia_sec) 2023 年 2 月 17 日

According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which made it perform “its solvency check before updating the LP tokens associated with the stake position.”

根据该报告,platypus masterplatypusv4 合约“在其紧急撤回机制中包含一个致命的误解”,这使得它“在更新与股权头寸相关的 lp 代币之前执行偿付能力检查”。

The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:

该报告强调,emergencywithdraw 函数的代码具有防止攻击的所有必要元素,但这些元素只是以错误的顺序编写,正如 omniscia 解释的那样:

“The issue could have been prevented by re-ordering the MasterPlatypusV4::emergencyWithdraw statements and performing the solvency check after the users amount entry has been set to 0 which would have prohibited the attack from taking place.”

“这个问题可以通过重新排序 masterplatypusv4::emergencywithdraw 语句并在用户的金额输入设置为 0 后执行偿付能力检查来防止,这将阻止攻击发生。”

Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. From Omniscias point of view, this implies that the developers must have deployed a new version of the contract at some point after the audit was made.

omnisia 承认,他们在 2021 年 11 月 21 日至 12 月 5 日期间审核了 masterplatypusv4 合约的一个版本。但是,该版本“不包含与外部 platypustreasure 系统的集成点”,因此不包含顺序错误的代码行。从 omniscia 的角度来看,这意味着开发人员必须在审计完成后的某个时候部署了新版本的合约。

Related: Raydium announces details of hack, proposes compensation for victims

相关: raydium 公布黑客攻击细节,建议对受害者进行赔偿

The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599-601 appear to set the users amount, factor, and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

审计员声称,avalanche (avax) c-chain 地址 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 的合约实施被利用了。该合约的第 582-584 行似乎调用了 platypustreasure 合约上名为“issolvent”的函数,第 599-601 行似乎将用户金额、因子和 rewarddebt 设置为零。但是,在调用“issolvent”函数后,这些数量将设置为零。

The Platypus team confirmed on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

platypus 团队于 2 月 16 日证实,攻击者利用了“usp 偿付能力检查机制中的一个缺陷”,但该团队最初并未提供更多细节。审计员的这份新报告进一步阐明了攻击者可能如何完成攻击。

The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit of Dec. 25.

鸭嘴兽团队于 2 月 16 日宣布袭击已经发生。它试图联系黑客并获得返还资金以换取漏洞赏金。攻击者使用闪贷来执行漏洞利用,这类似于 12 月 25 日 defrost finance 漏洞利用中使用的策略。


The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.

  • Token conversion
  • Exchange rate conversion
  • Calculation for foreign exchange purchasing
Current Rate