Overview:

On July 12, 2023, Platypus suffered an attack on the Ethereum chain, due to a business logic issue leading to a loss of ~51K USD.

Smart Contract Hack Overview:

• Attackers address: 0xc64afc
• Attack Contract: 0x16a3c9
• Vulnerable Contract: 0x7e1333
• Attack Transaction: 0x4b544e

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

• The main cause of the problem lies in the calculation of liquidity conversion for LP-USDC, which is flawed.
• When exchanging USDC for USDC.e, the calculation for determining the quantity of USDC.e becomes unreasonably large.
• Within the _deposit function, calling asset.addLiability() contributes to an increase in the asset.liability() parameter.
• As a consequence, during the withdrawFrom process, the hacker is able to withdraw a greater amount of USDC.e than what was initially deposited as USDC.

Fig: The root cause of the vulnerability

Mitigation and Best Practices:

• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at Caligo provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://caligosec.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at Caligo

Caligo — Smart Contract Vulnerability Scanner

Conclusion:

Caligo is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts.

Follow us on our Social Media for Web3 security-related updates.
Caligo Security — LinkedIn | Twitter | Telegram