After Defrost Finance users complained about the loss of funds, the DEX confirmed that Defrost V2 was the victim of a flash loan attack.
On December 24, 2022, DeFi platform Defrost Finance, built on the Avalanche blockchain, suffered a hack, with an attacker using a flash loan function to withdraw funds.
The announcement was made on the official Twitter account. The team advises everyone to refrain from using the platform until they resolve the issue.
Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.
Updates will be posted on our official channels.
The first hacking signal was that investors reported that they had lost their stakes in Defrost Finance, as well as Avalanche coins from the MetaMask wallets.
At first, the team announced that Defrost Finance’s V1 was not affected by the hack.
After confirming the attack, PeckShield, a blockchain security company, discovered that the hacker had manipulated the price of LSWUSDC (Lending Switch USD Coin). The profit generated from the hack was approximately of $173,000.
“Our analysis shows a fake collateral token is added, and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M,” according to PeckShield.
The community was suspicious of the activities of the DEX, although they had announced the hack as soon as it was noticed.
Shortly after, it was announced that V1 of the DEX was also affected by the hack, although it was initially announced that it was not affected. Since V1 lacked the flash loan functionality, the team believed that V1 couldn’t have been affected. At this moment, they asked all users to stop using both V1 and V2.
The Defrost team continued their on-chain investigation, on Dec 25. After publicly asking the hacker or hackers to return the funds stolen during the attack, the team also proposed a 20% (negotiable) fee of the total amount of $12.
According to the team, they have been working round the clock, on Christmas day, to try and solve the crisis and return the funds. Eventually, on Dec 26, the team announced that the funds stolen from V1 have been returned. However, no other explanation was given.
Defrost Finance announced it would refund affected users
According to Defrost Finance, the platform managed to recover the funds from the V1 flash loan exploit and plans to return them to their rightful owners.
On Dec 27, Defrost posted on Medium that it would soon refund the stolen assets. The recovered funds are in an ETH wallet, will be converted to a stablecoin, and then transferred to Avalanche. The users will be able to recover their funds through a specific smart contract.
Users are still waiting for further news.
Other DeFi protocols that suffered losses recently are Raydium (Solana blockchain) – $2 million, and Ankr (Ethereum blockchain) – $5 million.
Is Defrost Finance a scam?
On Dec 24, PeckShield, a blockchain analytics company, issued a warning to its community. They described Defrost Finance project as a “rug pull” with losses estimated at around $12 million.
On Dec 26, CertiK, a blockchain security company, posted an alert about Defrost Finance. It stated that they tried to reach the team but did not receive any response. They described the exploit as an “exit-scam,” which implies that the DeFi platform might have stolen user funds.