Avalanche, Defrost Finance’s Decentralized Leveraged Trading Platform report All funds lost due to misuse on the platform on December 23rd were returned on December 26th.
hacked funds #DefrostFinance.
Affected users will soon be able to get their assets back.
Details 👇https://t.co/RpDqKAK44y
— Defrost Finance 🔺 (@Defrost_Finance) December 26, 2022
Defrost Finance has vowed to return all lost funds to abused users after scanning data on-chain to determine the ownership and amount of funds owned by each affected user. did.
Previously, an Avalanche-based protocol reported that its platform was hacked and attackers used its flash loan feature to withdraw funds.
On December 24th, the company claimed that only V2 products were affected and V1 remained safe.
Defrost Finance announces that our V2 has been hacked and the attackers used the flash loan feature to withdraw funds.
V1 is unaffected. We will be closing the V2 UI shortly to investigate further with our tech team.
The latest information will be posted on the official channel.
— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
However, the team reported on Dec. 25 that hackers also obtained the owner key for a larger attack on the platform’s V1 product.
According to blockchain analytics firm PeckShield, hackers made around $173,000 from the exploit.
of @Defrost_Finance Once exploited, hackers could make profits of up to $173,000. The hack was made possible due to the lack of reentrant locks in the flashloan()/deposit() functions that the hacker used to manipulate his LSWUSDC stock price. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
Further analysis reveals that the PeckShield clearly Added fake collateral tokens. A malicious price oracle was used to liquidate a current user and in total he lost more than $12 million. This demonstrates the potential for lag pull.
Additionally, blockchain security firm Certik claimed the exploit was an exit scam after receiving no response to inquiries from the Defrost Finance team.
#CertiK SkynetAlert 🚨
December 24th, #exitscam upon @Defrost_Finance
I have tried to contact several members of the team, but have not received a response.
The team is not KYCed, but we are using all information necessary to assist authorities pic.twitter.com/XC009dM40T
— CertiK Alert (@CertiKAlert) December 26, 2022
Similarly, DeFiYieldApp, a Web3 security company, murmured It warned the DeFi community about a vulnerability in Defrost Finance’s smart contracts a year ago, which helped the company attract users.
There’s no clear indication if the hack was a rug pull, but the company has indicated it’s willing to negotiate with the hackers to return the funds.
On Dec. 25, the total amount of funds locked in the protocol fell from $13.16 million after the attack to less than $93,000, it said. Defilama data.