Defrost Finance hacked for $12m; team says funds will be returned

On December 23, the DeFi protocol Defrost Finance team announced a hack. PeckShield warned of a possible rug pull scheme rug pull. Losses exceeded $12 million.

1/4 The Defrost team has been working around the clock to find out more details concerning the events of the past 48 hours.

A thread ⬇️

— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022

Initially, the project developers said the attack targeted the V2 version of the protocol using «flash loan».

According to PeckShield, the hacker exploited the absence of a reentrancy lock. By manipulating the price in the LSWUSDC liquidity pool, about $173,000 was harvested.

The @Defrost_Finance is exploited, leading to the gain of ~$173k for the hacker. The hack is made possible due to the lack of reentrancy lock for the flashloan()/deposit() functions, which was used by the hacker to manipulate the share price of LSWUSDC. pic.twitter.com/SINHUZXC0D

— PeckShieldAlert (@PeckShieldAlert) December 23, 2022

According to Defrost Finance, the attacker conducted a second attack on the V1 protocol using the obtained owner key. The team did not disclose the amount of damage; PeckShield estimated it at more than $12 million.

We received community intel warning the rugpull of @Defrost_Finance. Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M. https://t.co/70iu38OYh7 pic.twitter.com/rSKklgV71I

— PeckShield Inc. (@peckshield) December 24, 2022

Experts noted that the project team remains anonymous and has not undergone KYC procedures. Taken together with the circumstances, the firm’s analysts, as well as some community members, suspected an exit scam.

They claim to be offering the “hacker” 20% of the stolen funds to return it… too busy negotiating with themselves to respond to comment requests

— t o o n c e s (@toonces4280) December 26, 2022

«This is the most sneaky way to rug-pull crypto users we have ever seen. Defrost Finance announced that the V2 protocol was hacked. Really? No! This is a rug pull», said DeFiYield.

The MELT token has fallen more than 20% in the last 24 hours. The coin trades around $0.001. At its all-time high in early December 2021 the asset peaked at $23.

As a reminder, Web3 industry losses from exploits since the start of the year have approached $3 billion, PeckShield estimated as of October.

According to Solidus Labs, since January the market has seen almost 120,000 fraudulent tokens, linked to rug-pull schemes.

Follow ForkLog’s bitcoin-news on our Telegram — cryptocurrency news, prices and analytics.