The leading DeFi platform on Avalanche blockchain, Defrost Finance, suffers a flash loan attack on both of its versions Defrost v1 and Defrost v2 with suspicions arising that a rug pull has occurred.
Defrost Finance announced that its V2 suffered a hack on December 23, with an attacker using a flash loan function to withdraw funds. But the team stated that V1 is not affected.
Defrost v1 was declared unaffected by the hack since it lacked a flash loan feature. However, Defrost later recognized that v1 was also experiencing an issue.
“Defrost is aware of the V1 emergency. Our team is currently investigating. We kindly ask the community to wait for updates and refrain from using either the V1 or V2 for the moment being,” Defrost Finance tweeted.
Defrost Finance was indeed exploited, according to blockchain analytics firm PeckShield, resulting in a profit of almost $173k for the hacker.
The lack of a reentrancy lock on the flash loan ()/deposit() functions, which the hacker used to manipulate the share price of LSWUSDC, made the exploit possible.
PeckShield later stated that their analysis showed a fake collateral token was added and a malicious price oracle was used to liquidate current users with a total loss estimated to be greater than $12M.
Defrost Finance then put out a statement saying it suffered a first hack involving a flash loan attack, which led to the draining of the funds in the V2. The hacker also reportedly managed to steal the owner’s key for a larger attack on the V1.
“We are currently working on finding out how exactly the aggressors managed to obtain the key and used it to exploit the protocol,” the Defrost team added.
Meanwhile, blockchain security firm Certik tweeted that it tried “to contact multiple members of the team but have had no response” and also highlighted that the exploit was an exit scam.
Web3 security firm DeFiYield tweeted they have already warned DeFi Community about the smart contract vulnerability in Defrost Finance which is used to rug pull its users after they conducted an audit of the firm 1-year ago.
But even if a rug pull did occur, the Defrost Finance team still hasn’t disappeared with all the money since they announced the team is willing to negotiate with the hackers to discuss sharing 20% of the funds in exchange for the stolen assets and are calling on the hackers to contact them as soon as possible.
Also Read: Rug Pull Finder Falls Victim to Smart Contract Exploit