Decentralized leverage trading platform on Avalanche, Defrost finance reported that all the funds lost due to an exploit on its platform on Dec. 23 were returned on Dec. 26 after claims of a possible rug pull.
The hacked funds have been returned to #DefrostFinance.
The affected users will very soon be able to claim their assets back.
— Defrost Finance 🔺 (@Defrost_Finance) December 26, 2022
Defrost Finance affirmed that it would return all the lost funds to the exploited users after scanning the on-chain data to determine the ownership and amount of funds owned by each affected user.
Earlier, the Avalanche-based protocol reported the platform had been hacked, with an attacker withdrawing funds using the flash loan function.
On Dec.24, the firm claimed that only their V2 product was affected, and V1 remained safe.
Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.
The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.
Updates will be posted on our official channels.
— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
However, on Dec. 25, the team reported the hacker also obtained the owner key for a larger attack on the platform’s V1 product.
The hacker made almost $173k from the exploit, according to blockchain analytics firm PeckShield.
The @Defrost_Finance is exploited, leading to the gain of ~$173k for the hacker. The hack is made possible due to the lack of reentrancy lock for the flashloan()/deposit() functions, which was used by the hacker to manipulate the share price of LSWUSDC. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
Upon further analysis, PeckShield revealed that a fake collateral token was added. A malicious price oracle was used to liquidate current users for a total loss of more than $12 million, indicating a possible rug pull.
Further, blockchain security firm Certik claimed that the exploit was an exit scam after they couldn’t get any response to their queries from Defrost Finance team.
On 24 December we have seen an #exitscam on @Defrost_Finance
We have attempted to contact multiple members of the team but have had no response.
The team are not KYC’d but we are using all the information that we do have to assist with authorities pic.twitter.com/XC009dM40T
— CertiK Alert (@CertiKAlert) December 26, 2022
On the same note, DeFiYieldApp, a Web3 security firm, tweeted that they warned the DeFi Community one year ago about the Defrost Finance smart contract vulnerability that allows the firm to rugpull its users.
Even though there are no clear indications whether the hack was a rug pull, the firm has shown a willingness to negotiate with the hackers to return funds.
On Dec. 25, the total value of funds locked on the protocol had dropped to less than $93,000 from $13.16 million after the attack, according to DefiLlama data.