platypus-exploit-analysis

Overview

That repo contains Platypus Finance smart contracts and fuzzing tests for Foundry framework to detect exploit that was used on 16 February 2023.

PLATYPUS FINANCE Contracts

1. MasterPlatypusV4
2. Treasure

Exploit description

The MasterPlatypusV4::emergencyWithdraw function performs its solvency check before updating the LP tokens associated with the stake position.

Test to reproduce the attack

The Exploiter contract reproduce the attack by performing following operations:

1. FlashLoan from Aave.
2. Put USDC into the pool of Platypus.
3. Deposit LP into the MasterPlatypusV4.
4. Borrow USP.
5. call emergencyWithdraw to withdraw LP, while having USP.
6. Withdraw USDC by returning LP to the pool of Platypus.
7. Exchange USP to other stables.

to run test

forge test --contracts test/Exploiter.t.sol -vvv

Invariant Description

in English:

The collateral used to back the borrowed funds cannot be withdrawn

The condition that is broken in contracts that actor will have non-zero USP balance, while his collateral is equal to zero.

in Solidity:

    function invariant_withdrawBackingFunds() external {
        uint256 handlerBalance = USP.balanceOf(address(handler));
        PlatypusTreasure.PositionView memory Position = Treasure.positionView(address(handler), address(LPUSDC));
        uint256 limit = Position.borrowLimitUSP;

        assertEq(
            true,
            handlerBalance <= limit
        );
    }

to run invariant fuzzing

forge test --contracts test/Invariant.t.sol -vvv

Sources

1. Rekt article
2. platypus-finance/core
3. Peckshield report
4. Certik report