Platypus attack exploited incorrect ordering of code, auditor claims

cointelegraph.com:

The $8m Platypus flash loan attack was made possible because of code that was in the wrong order, according to a post mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didn’t exist in the version they saw.

In light of the recent @Platypusdefi incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details. Be sure to follow @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn

According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism” which made it perform “its solvency check before updating the LP tokens associated with the stake position.”

The report emphasized that the code for the emergencyWithdraw function had all of the necessary elements to prevent an attack, but these elements were simply written in the wrong order, as Omniscia explained:

Omnisia admitted that they audited a version of the MasterPlatypusV4 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code. From Omniscia’s point of view, this implies that the developers must have deployed a new version of the contract at some point after the audit was made.

Related: Raydium announces details of hack, proposes compensation for victims

The auditor claims that the contract implementation at Avalanche (AVAX) C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was exploited. Lines 582-584 of this contract appear to call a function called “isSolvent” on the