技术

　　鸭嘴兽攻击利用了不正确的代码排序，审计员声称

　　11分钟前

　　比特币以太币新闻

　　The $8 million Platypus flash loan attack was made possible because of code that was in the wrong order, 根据 to a post-mortem report from Platypus auditor Omniscia. The auditing company claims the problematic code didnt exist in the version they audited.

　　鉴于最近 @鸭嘴兽 incident the https://t.co/30PzcoIJnt team has prepared a technical post-mortem analysis describing how the exploit unravelled in great details.

　　一定要遵循 @Omniscia_sec to receive more security updates!https://t.co/cf784QtKPK pic.twitter.com/egHyoYaBhn

　　— Omniscia (@Omniscia_sec) 17年2023月XNUMX日

　　According to the report, the Platypus MasterPlatypusV4 contract “contained a fatal misconception in its emergencyWithdraw mechanism,” which made it perform “its solvency check before updating the LP tokens associated with the stake position.”

　　该报告强调，emergencyWithdraw 函数的代码具有防止攻击的所有必要元素，但这些元素只是以错误的顺序编写，正如 Omniscia 解释的那样：

　　“这个问题可以通过重新排序 MasterPlatypusV4::emergencyWithdraw 语句并在用户的金额输入设置为 0 后执行偿付能力检查来防止，这将阻止攻击发生。”

　　Omniscia audited a version of the MasterPlatypusV1 contract from Nov. 21 to Dec. 5, 2021. However, this version “contained no integration points with an external platypusTreasure system” and therefore did not contain the misordered lines of code.

　　It is important to note that the code that was exploited did not exist at the time of Omniscia‘s audit. Omniscia’s point of view implies that the developers must have deployed a new version of the contract at some point after the audit was made.

　　The auditor claims that the contract implementation at Avalanche C-Chain address 0xc007f27b757a782c833c568f5851ae1dfe0e6ec7 is the one that was 剥削. Lines 582–584 of this contract appear to call a function called “isSolvent” on the PlatypusTreasure contract, and lines 599–601 appear to set the users amount, factor and rewardDebt to zero. However, these amounts are set to zero after the “isSolvent” function has already been called.

　　The Platypus team 确认 on Feb. 16 that the attacker exploited a “flaw in [the] USP solvency check mechanism,” but the team did not initially provide further detail. This new report from the auditor sheds further light on how the attacker may have been able to accomplish the exploit.

　　The Platypus team announced on Feb. 16 that the attack had occurred. It has attempted to contact the hacker and get the funds returned in exchange for a bug bounty. The attacker used flashed loans to perform the exploit, which is similar to the strategy used in the Defrost Finance exploit on Dec. 25, 2022.

　　Source: https://cointelegraph.com/news/platypus-attack-exploited-incorrect-ordering-of-code-auditor-claims

• 　　新闻报道