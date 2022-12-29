In their latest update, the DeFi platform stated that over the next few days, they will convert the returned funds into stablecoins, which will be transferred from Ethereum to Avalanche before returning them to their rightful owners.

There has been a string of crypto hacks and attacks over the last 30 days. To begin with, cross-chain DeFi protocol Ankr was hit by a $5 million exploit on December 2, with the platform later claiming that the theft was an inside job. More recently, on December 27, Bitkeep, a decentralised multi-chain digital wallet, was hacked for $8 million after users downloaded a compromised APK version of the protocol.

A few days ago, another crypto hack came to light after Defrost, a decentralised-finance protocol announced that it was the victim of a multi-million dollar exploit on Christmas Eve. However, the circumstances around the attack seemed quite controversial and have left users rather confused. Tag along to find out why.

The hack on Defrost

It all began on December 24, when Defrost, a decentralised leveraged trading platform, came under attack, resulting in a loss of user funds. The team took to Twitter to shed light on the exploit, claiming it was a flash loan attack that was restricted to its V2 product and that no other verticals were affected.

“Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds. The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team. Updates will be posted on our official channels,” the Defrost team said in its tweet. According to the blockchain security firm, PeckShield, the attacker was able to manipulate prices on the platform, making away with $173,000 in the process.

However, the platform reassured users that the hack was limited to its V2 product, with V1 remaining out of harm. “As the team digs further, please be aware that the V1 is unaffected - the first version of Defrost has no flash loan function,” said the Defrost team in another tweet, allaying any fears of further losses.

A second attack

Just when users thought the worst was behind them, Defrost announced that its V1 product was also compromised, leading to a much larger attack. “The same - or another - hacker also managed to steal the owner key for a second, much larger attack on the V1. We are currently working on finding out how exactly the aggressors managed to obtain the key and used it to exploit the protocol,” the platform said in a December 25 tweet.

According to reports, the attacker used an owner key to exploit Defrost’s V1 product. Armed with this key, the hacker was able to create a fake collateral token and use it to mint 100 million H20 tokens, a stablecoin native to the Avalanche protocol. The hacker then added a malicious price oracle to liquidate his H20 and drain the V1 pool of its USDT. All said and done, the hacker was able to get away with $12 million worth of tokens.

Suspicions of a rug pull

News of the second attack had not yet sunk in when rumours of a rug pull started doing the rounds. “We received community intel warning the rug pull of @Defrost_Finance. Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M,” PeckShield said in a tweet.

Another prominent blockchain security firm, Certik, backed this notion, labelling the V1 attack as an “exit scam.” Finally, web3 security firm DeFiYield, stated that they had warned Defrost about this vulnerability when they performed an audit on the platform’s smart contracts a year ago. They were also able to link Defrost with another rug pull from 2021 which syphoned $7 million of investor funds.

“We've done an Exclusive On-Chain Investigation on the @Defrost_Finance's $12M "Exploit". We found the connection between Defrost Finance and another project that has Rug Pulled $7M in 2021 - @Phoenix__PHX. They have the same developers,” DeFiYield said in its tweet. The security firm also published an article on Medium highlighting the findings of its investigation.

DeFiYield also revealed that just months before the attack, Defrost had taken out two insurance policies with coverage against oracle failure. This adds to the suspicion given that a malicious oracle was used to manipulate prices on Defrost’s V1 product.

Another twist

Amid the allegations of an exit scam, Defrost posted a wallet address on its Twitter page, asking the attacker to return the ill-gotten crypto. They even offered 20 percent of the stolen funds as a reward. These steps seem to have paid instant dividends as the attacker returned all the stolen funds on December 26. The returned loot included $9.9 million worth of DAI and $3.3 million in ETH.

In their latest update, the DeFi platform stated that over the next few days, they will convert the returned funds into stablecoins, which will be transferred from Ethereum to Avalanche before returning them to their rightful owners. The platform will analyse user holdings before the attack and then begin disbursing the refunds accordingly.

Conclusion

The Defrost case is indeed a strange one. Normally, perpetrators disappear and go silent after orchestrating a rug pull or exit scam. However, Defrost was very vocal on Twitter and posted regular updates about the hack. On the other hand, DeFiYield published a detailed blog indicating a clear connection between Defrost and a rug pull from 2021. They also state that Defrost is only returning the funds in the fear of being caught.

All-in-all, the Defrost attack is a dizzying one. Updates around the attack came thick and fast, each more puzzling than the next. The only positive to come out of the entire ordeal is that the stolen funds will be returned to the users. However, when that will happens, we’ll have to wait and watch.

Also Read: FTX customers file class action lawsuit to lay claim to dwindling assets