Platypus, a decentralized finance (DeFi) platform on the Avalanche network, recently fell victim to an $8 million flash loan attack. An auditor for Platypus, Omniscia, has published a report claiming that the cause of the attack was due to code in the wrong order. The report states that the emergency withdraw function within the MasterPlatypusV4 contract contained a fatal misconception in its solvency check mechanism.
Omniscia noted that the code had all the necessary elements to prevent an attack, but they were written in the wrong order, which allowed the hacker to exploit the system. According to Omniscia, reordering the code could have prevented the attack from occurring.
The Platypus team confirmed that the attack had taken place due to a flaw in the platform’s solvency check mechanism. The team attempted to contact the hacker to return the funds in exchange for a bug bounty, but no response has been received yet.
The report from Omniscia revealed that the problematic code did not exist in the version they had audited, which implies that the developers must have deployed a new version of the contract after the audit was made.
This incident is similar to the Defrost Finance exploit that occurred on Christmas Day 2022. In both cases, the attacker used flashed loans to perform the exploit.The Platypus team has yet to release an official statement addressing the issue. The attack highlights the need for better security measures and audits in the DeFi space.
It is unclear if the attacker will return the funds, but the Platypus team remains optimistic about the possibility of a bug bounty. The incident serves as a warning for DeFi platforms to take necessary precautions and ensure the security of their systems to avoid falling victim to similar attacks in the future.