Defrost Finance Hacked in Attack Some Say May Have Been a Rug Pull

Decentralized finance protocol Defrost Finance said it was hacked Dec. 23, though blockchain security firm Peckshield, citing “community intel,” said the exploit may have been a rug pull that made off with $12 million.

In a tweet thread posted Dec. 25, the Defrost team said a first attack used a flash loan to drain funds out of its V2 product. A second larger attack used the owner key to exploit V1. The protocol, which offers leveraged trading on the Avalanche blockchain, didn’t say how much had been taken.

1/4 The Defrost team has been working around the clock to find out more details concerning the events of the past 48 hours.

A thread ⬇️

— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022

Peckshield’s analysis showed the attack used a fake collateral token together with manipulated pricing.

A rug pull can occur when developers create and establish a liquidity pool and then remove the funds after investors have bought the related token. The total value of funds locked on Defrost Finance, which peaked at $95 million in February, was about $13 million in recent weeks, Defi Llama data show. That dropped to less than $93,000 on Dec. 25.

If the attack is a rug pull, it's an unusual one. Usually the team behind the scheme goes silent and can't be contacted. Defrost Finance, however, said in a tweet that it's willing to negotiate with the people behind the attack for a return of the funds. An attempt to reach the firm through Twitter failed because direct messages have been disabled on the account.

DeFiYield, which offers a security layer for smart contracts to help investors avoid getting scammed or hacked alongside a cross-chain digital asset management platform, said it conducted an audit of Defrost Finance a year ago, and highlighted the smart contract vulnerability used in the hack.

⚡️ We have warned DeFi Community about the smart contract vulnerability @Defrost_Finance used to rug pull its users.

1 year ago we performed an audit on Defrost.

Audit link: https://t.co/u2JBm7zAq8

Don't wanna get scammed in Crypto?

Follow DeFiYield Audits! 🚨 https://t.co/4Osx19KE0f pic.twitter.com/eIgx3rFn69

— DeFiYield 🛡️ Web 3 Security (@DefiyieldSec) December 25, 2022

Last year, crypto investors lost over $2.8 billion to rug pulls, according to a report by Chainalysis. Rug pulls accounted for 37% of the over $7.7 billion in total illicit revenue from crypto scams that year. The 2022 figure is likely to be higher: A report from blockchain risk monitoring firm Solidus Labs shows that fraudsters deployed over 117,000 scam tokens through Dec. 1, 41% more than in all of 2021.

See also: 5 Social Media Crypto Scams to Avoid