The main DeFi platform on Avalanche blockchain, Defrost Finance, has been the victim of a flash loan assault on both of its versions, Defrost v1 and Defrost v2, leading to the emergence of concerns around the possibility of a rug pull having taken place.
A hacker gained access to Defrost Finance’s V2 on December 23, according to an announcement made by the company. The hacker used a flash loan feature to take cash. However, the team has claimed that V1 is unaffected by this.
Because Defrost v1 did not have a flash loan function, it was determined that it was not vulnerable to the attack. In the end, though, Defrost was able to determine that version 1 was also having some kind of problem.
“Defrost is aware of the V1 emergency. Our team is currently investigating. We kindly ask the community to wait for updates and refrain from using either the V1 or V2 for the moment being,” Defrost Finance tweeted.
According to blockchain analytics company PeckShield, a vulnerability in Defrost Finance was in fact exploited, and the hacker who did it made a profit of roughly $173,000 in cryptocurrency.
The hacker was able to influence the share price of LSWUSDC because the flash loan ()/deposit() routines did not include a reentrancy lock. This flaw made it easy for the hacker to exploit the vulnerability.
PeckShield subsequently revealed that their study indicated a fraudulent collateral token was inserted and a malicious pricing oracle was utilized to liquidate existing users, with a total loss that was believed to be larger than $12 million.
Then, Defrost Finance issued a statement in which it said that it had been the victim of a first hack using a flash loan attack, which resulted in the depletion of cash in the V2 system. According to reports, the hacker was also successful in stealing the owner’s key in order to carry out a more extensive assault on the V1.
“We are currently working on finding out how exactly the aggressors managed to obtain the key and used it to exploit the protocol,” the Defrost team added.
In the meanwhile, a blockchain security company known as Certik tweeted that it had attempted “to contact numerous members of the team but have gotten no answer.” The statement also underlined the fact that the attack was an exit scam.
After conducting an audit of the company one year ago, the Web3 security firm DeFiYield tweeted that they had previously alerted DeFi Community about the smart contract vulnerability in Defrost Finance, which is used to rug pull its members.
But even if a rug pull did take place, the Defrost Finance team has not yet vanished with all of the money because they have announced that they are willing to negotiate with the hackers to discuss sharing 20% of the funds in exchange for the stolen assets and are calling on the hackers to contact them as soon as possible. Even if a rug pull did take place, the Defrost Finance team has still not disappeared with all of the money.
Compiled by Coinbold