Defrost Finance was hacked & the exploit may have been a rug pull that made off with $12 million
Protocol for decentralized finance Although blockchain security company Peckshield claimed, citing “community information,” Defrost Finance was hacked on December 23, it may have been a scam to steal $12 million.
2/4 On December 23, Defrost suffered a first hack involving a flash loan attack, which lead to the draining of the funds in the V2.
— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022
Defrost Finance Hacked in Attack Some Say May Have Been a Rug Pull
The Defrost team claimed in a tweet thread published on December 25 that a first attack used a flash loan to siphon money from its V2 product. The owner key exploited V1 in a second, more significant attack. The leveraged trade protocol on the Avalanche blockchain didn’t specify how much money had been taken.
4/4 We will keep on investigating and all relevant information will be shared with the community.
We are thankful to the Defrost community for their ongoing support at this difficult time 🙏
Our priority remains to recover the funds.
— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022
According to Peckshield’s study, the assault used a bogus collateral token and manipulated price.
We received community intel warning the rugpull of @Defrost_Finance. Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M. https://t.co/70iu38OYh7 pic.twitter.com/rSKklgV71I
— PeckShield Inc. (@peckshield) December 24, 2022
A rug pull can happen if developers set up a liquidity pool and then take the money out after investors have purchased the associated token. According to Defi Llama data, the total amount of money held on Defrost Finance, which peaked at $95 million in February, has recently been around $13 million.
On December 25th, that fell to less than $93,000. If a rug pull is an attack, that would be unique. Usually, the group responsible for the scheme disappears and cannot be reached. However, Defrost Finance stated in a tweet that it is open to bargaining with the attack’s perpetrators to return the monies.
A Twitter attempt to contact the company was unsuccessful due to the account’s disabling of direct messages. DeFiYield claimed to have audited Defrost Finance a year prior and identified the smart contract flaw that was exploited in the breach.
⚡️ We have warned DeFi Community about the smart contract vulnerability @Defrost_Finance used to rug pull its users.
1 year ago we performed an audit on Defrost.
Audit link: https://t.co/u2JBm7zAq8
Don’t wanna get scammed in Crypto?
Follow DeFiYield Audits! 🚨 https://t.co/4Osx19KE0f pic.twitter.com/eIgx3rFn69
— DeFiYield 🛡️ Web 3 Security (@DefiyieldSec) December 25, 2022
According to Chainalysis, crypto investors lost over $2.8 billion to rug pullers last year. 37% of the more than $7.7 billion in criminal profits generated by cryptocurrency schemes that year came from rug pulls. The number in 2022 is probably higher: According to research from the blockchain risk monitoring company Solidus Labs, scammers have used over 117,000 scam tokens as of December 1—41% more than they did in all of 2021.
Read more:
- LastPass Hackers Have Started Sending Phishing Text Messages About Upgrading OKX
- The Largest Chinese Electric Car NIO Was Stole Customers’ Information And Blackmailed Worth $2.25 Million Bitcoin
- Wietse Wind Warns About Fake Ripple Site Promoting XRP Staking