Avalanche, Defrost Finance’s Decentralized Leveraged Trading Platform report All funds lost due to misuse on the company’s platform on December 23rd were returned following claims that they may have been returned on December 26th.
hacked funds #DefrostFinance.
Affected users will soon be able to get their assets back.
— Defrost Finance 🔺 (@Defrost_Finance) December 26, 2022
Defrost Finance has vowed to return all lost funds to abused users after scanning data on-chain to determine the ownership and amount of funds owned by each affected user. did.
Previously, an Avalanche-based protocol reported that its platform was hacked and attackers used its flash loan feature to withdraw funds.
On December 24th, the company claimed that only V2 products were affected and V1 remained safe.
Defrost Finance is sad to announce that V2 has been hacked and the attackers used the flash loan feature to withdraw funds.
V1 is unaffected. We will close the V2 UI soon and investigate further with our tech team.
The latest information will be posted on the official channel.
— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
However, the team reported on Dec. 25 that hackers also obtained the owner key for a larger attack on the platform’s V1 product.
According to blockchain analytics firm PeckShield, hackers made around $173,000 from the exploit.
of @Defrost_Finance Once exploited, hackers could make profits of up to $173,000. The hack was made possible due to the lack of reentrant locks in the flashloan()/deposit() functions that the hacker used to manipulate his LSWUSDC stock price. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
Further analysis reveals that the PeckShield clearly Added fake collateral tokens. Using a malicious price oracle to liquidate current users, resulting in a total loss of over $12 million, indicated Lag’s pull potential.
Additionally, blockchain security firm Certik claimed the exploit was an exit scam after receiving no response to inquiries from the Defrost Finance team.
I have tried to contact several members of the team, but have not received a response.
The team is not KYCed, but we are using all information necessary to assist authorities pic.twitter.com/XC009dM40T
— CertiK Alert (@CertiKAlert) December 26, 2022
Similarly, DeFiYieldApp, a Web3 security company, murmured It warned the DeFi community about a vulnerability in Defrost Finance’s smart contracts a year ago, which helped the company attract users.
There’s no clear indication if the hack was a rug pull, but the company has indicated it’s willing to negotiate with the hackers to return the funds.
On Dec. 25, the total amount of funds locked in the protocol fell from $13.16 million after the attack to less than $93,000, it said. Defilama data.