The Avalanche-based decentralised leverage trading platform was hacked in a flash loan attack. Hackers exploited a smart contract vulnerability to manipulate the price of LSWUSDC token to drain all liquidity from user wallets. Investors are alleging that Defrost Finance conducted a rug pull on them.
On Saturday, Defrost Finance, a decentralised exchange on the Avalanche (AVAX) blockchain, announced that it was pausing all activities on both its versions – Defrost v1 and Defrost v2 – following a smart contract exploit. The attack came into view after investors reported losing their AVAX and MELT – native staking token of Defrost Finance – tokens from MetaMask wallets connected to the decentralised leverage trading platform.
Soon after users raised complaints about lost funds, a core team member confirmed in the platform’s Telegram channel that Defrost v2 was hit by a security exploit where the hacker drained all liquidity in a flash loan attack. At first, the team said that Defrost v1 was not impacted by the hack, but has shut down v2 for further investigation.
On-chain security analytics firm PeckShield conducted a detailed investigation and found that the hacker manipulated the share price of LSWUSDC token to liquidate user funds, gaining them $173,000 from the attack. The hacker conducted the flash loan attack by exploiting a security vulnerability on Defrost’s smart contract which allowed them to deploy a fake collateral token and manipulate its price to drain all funds.
“Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users”. The loss is estimated to be >$12M,” tweeted PeckShield.
However, a day after confirming the first hack on v2, Defrost revealed that the “same or another hacker” managed to steal its ‘deployer key’ to conduct a much larger attack on v1 as well. The team said that it is currently working to find out how the aggressors managed to obtain the key and use it to exploit the protocol. Investors have been advised by Defrost to stop using the platform until further notice as an investigation is underway and the team will reach out to users through official channels to update them on its progress. The DeFi platform which offers leveraged trading on the Avalanche blockchain has not revealed how much liquidity was drained, however, it is estimated to be upwards of $12 million.
Now users are alleging that the lending protocol conducted a rug pull on them. A rug pull is when crypto token developers create a liquidity pool into which investors deposit funds to purchase tokens, and once enough liquidity is reached the team removes all funds without notifying users.
The total value of assets locked on Defrost, which stood at $95 million at the beginning of the year, came down to $13 million in recent weeks following downtrending market circumstances. According to crypto market analytics firm DeFi Llama, the total value of funds locked on Defrost fell to less than $93,000 on December 25. After the attack, MELT token lost 32% of its value and is currently trading at $0.001.
DeFiYield, a cross-chain digital asset management firm that also offers security solutions for smart contracts to help investors from getting scammed or hacked, confirmed that it had conducted an audit of Defrost Finance last year and notified the team about the smart contract vulnerability that was exploited in last week’s hack.
According to a report by Chainalysis, crypto investors lost over $2.8 billion to rug pulls last year. Out of the $7.7 billion in total illicit revenue earned by hackers and scammers in 2021, rug pulls accounted for 37%. Analysts say this number is expected to be higher in 2022, with fraudsters having deployed over 117,000 scam tokens this year, which is 41% more than last year.
At the time of writing, AVAX, native token of the Avalanche network, is trading at $11.71 – up by 0.4% in the last 24-hours.