Key Ideas:
- Defrost Finance revealed that both its Defrost v1 and Defrost v2 versions are being investigated for possible hacks.
- By manipulating the share price of LSWUSDC, the hacker was able to boost his or her profit by around $173,000, according to PeckShield.
- In the most recent events, the management of Defrost Finance made an offer to hackers and stated that it was willing to reach a settlement.
Defrost v1 and v2 of the Avalanche blockchain-based decentralized leveraged trading platform, according to Defrost Finance, are both being looked into for hacking.
When the statement was issued, investors had reported losing their staked Defrost Finance (MELT) and Avalanche tokens from their MetaMask wallets.
After a few customers reported experiencing significant losses in their accounts, Defrost Finance launched an investigation into a potential attack on its Defrost v1 and v2 systems.
Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.
— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.
Updates will be posted on our official channels.
The platform first believed Defrost v1 had not been impacted by the intrusion, therefore it decided to shut down Defrost v2 while it did additional study. The users were forewarned not to use Defrost v2 over Telegram by one of the main team members, Doran.
Defrost Finance also sent out a notification via Doran, warning customers to withdraw funds from the protocol to avoid more losses because their Defrost v1 was also being attacked.
Preliminary research by PeckShield identified an exploit that could be utilized by fiddling with the deposit and flash loan functions and was made possible by the lack of a reentrancy lock. The LSWUSDC share price was changed by the hacker using the available option. At the time, the hacker had about $173,000 in earnings.
The @Defrost_Finance is exploited, leading to the gain of ~$173k for the hacker. The hack is made possible due to the lack of reentrancy lock for the flashloan()/deposit() functions, which was used by the hacker to manipulate the share price of LSWUSDC. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
The hacker produced a face collateral token and used a phony pricing oracle to liquidate platform users, according to further investigation. Losses from the incident are estimated to have exceeded $12 million.
The attackers are holding a crucial part of the platform, so quick action may be necessary to limit more damage. In the most recent events, the management of Defrost Finance made an offer to hackers and stated that it was willing to reach a settlement.
The Defrost team is willing to negotiate with the hacker(s).
— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022
We are willing to discuss sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap.
Defrost Finance is an entirely fair launch trading platform powered by the Avalanche blockchain. The business has requested its investors to stay off its platform until an internal team investigates and tries to fix the issue.
