Defrost Finance, a decentralized leveraged trading platform built on the Avalanche blockchain, reported that both of its versions — Defrost v1 and Defrost v2 — are under investigation for a hack, while some experts and community members believe the purported hack was a rug pull.
Investors reported losing their staked Defrost Finance (MELT) and Avalanche AVAX tokens from the MetaMask wallets before the formal notification was made.
In a Twitter thread published on December 25, the Defrost team claimed that a first attack used a flash loan to drain money from their V2 product, while a second, more significant attack used the owner key to exploit V1—all without specifying how much money was stolen.
1/4 The Defrost team has been working around the clock to find out more details concerning the events of the past 48 hours.
A thread ⬇️
— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022
Researchers Find Vulnerability in Defrost Finance
PeckShield, a blockchain researcher, earlier discovered that the hacker gained almost $173,000 by manipulating the share price of LSW/USDC.
Further examination of PeckShield’s research found that the attacker had rug-pulled its users using a counterfeit collateral token and manipulated pricing, with a loss estimate of over $12 million.
The @Defrost_Finance is exploited, leading to the gain of ~$173k for the hacker. The hack is made possible due to the lack of reentrancy lock for the flashloan()/deposit() functions, which was used by the hacker to manipulate the share price of LSWUSDC. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
In addition, DeFiYield, which provides a security layer for smart contracts along with a cross-chain digital asset management platform to protect investors from fraud and hacks, claimed to have audited Defrost Finance a year ago and identified the smart contract vulnerability that was exploited in the hack.
In recent weeks, the total amount of funds locked on Defrost Finance was around $13 million, but it has now fallen to less than $94,000 on Defil Lama. This is despite the fact that it peaked at $95 million in February.
Most recently, the Defrost team claimed that it is prepared to deal with the hackers, offering to share a paltry 20% of the cash in exchange for most of the assets.
Investors are urged not to utilize Defrost Finance any longer while the internal team conducts an investigation and prepares to contact users through official channels.
The cryptocurrency sector has already seen a number of hacking events, security flaws, and a loss of several billion dollars this year.
These activities continue to occur even when Christmas is still in progress. As reported today, some BitKeep decentralized wallet users claimed on December 26 that their funds had been drained and moved when they were not using their wallets.