Defrost Finance Hacked, Claims Funds Have Been Recovered

Published on:

Decentralized leverage trading protocol Defrost Finance, which recently disclosed that its protocol has been exploited for roughly $12 million through its V1 and V2 products, has issued an update stating that the V1 attacker has returned the exploited funds.

“We will soon start scanning the data on-chain to find out who owned what prior to the hack in order to return them to the rightful owners. As different users had variable proportions of assets and debt, this process might take a little [time],” Defrost Finance devs stated through an official blog post.

According to the team, the first attack involved the use of a flash loan sequence to drain funds from its V2 product. Another exploit was launched using the owner key, gaining access to Defrost Finance’s V1 product.

In decentralized finance protocols, liquidations occur when the value of a user’s collateral falls below a protocol’s minimum loan-to-value ratio. Defrost allows users to deposit collateral for a loan, which the protocol uses to calculate the interest rate on that loan. Fake collateral introduced into V2 likely compromised users’ loan-to-value ratios, leading to their liquidations.

The protocol is built on top of the Avalanche blockchain. What’s curious is that blockchain security firms such as Peckshield have claimed that the attack was more of an inside job, and has been considered a rug pull.

CertiK, another blockchain security and auditing firm, confirmed that they have been unable to establish contact with the Defrost Finance team, leading to the firm posting a warning on its Twitter account which indicated that the Defrost Finance hack was instead an exit scam. At the time of writing, Defrost Finance’s official Twitter account could is either not able to receive message or is already pre-configured not to do so.

Read more:  Over $204M was lost in Q2 DeFi hacks and scams: Report

In November 2021, CertiK audited Defrost V1’s smart contracts and listed a critical logic issue and five issues relating to centralization. Both issues were resolved at press time; the former was acknowledged without evidence of further work, while the latter was acknowledged with evidence of further work.

The term “bug” refers to a logic issue, which can cause smart contracts to operate incorrectly without crashing. Logic issues occur when smart contracts fail to work as intended, whereas centralization issues are a result of a hacker gaining access to shared code blocks or variables.

Initial reports on the exploit revealed that roughly $173,000 was drained through the V1 protocol, while another $1.4 million was taken through Rubic Finance, a cross-chain aggregator linked with Defrost Finance. These, along with the $12 million heist on its V2 product, have raised concerns about the protocol’s stability and security in terms of its smart contract code, putting into question the issue of centralization across its ecosystem.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.