About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Platypus Finance - REKT 2- 1266

RektPosted 2 Years Ago
  • Platypus Finance has joined the leaderboard for a second time! The smart contracts had been audited. However, they recently added some new functionality, which got them pwned.
  • The attack was from a price manipulation issue. The swap price depends on the ratio of cash in the protocol. By manipulating the cash and liability of the protocol, the slippage drastically increases. Eventually, this leads to much less funds than anticipated to be sent for a trade.
  • To do this, the attacker takes out several large flash loans. From there, they deposit wAVAXto LP-AVAX and stake AVAX to LP-sAVAX. This was done in order to increase the liability of both the contracts.
  • Next, the attacker swaps in sAVAX to wAVAX to reduce the cash of the LP-AVAX contract. Finally, they remove all of the available cash by withdrawing the wAVAX. The setup was complete: almost no cash is within the contract.
  • The attacker performs a swap with the manipulated price to steal a bunch of funds. Absolutely wild. I don't fully understand the manipulation, since I'm not familiar with the protocol, but it's interesting none-the-less.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed