Key Takeaways:
- Defrost Finance’s “Defrost V1” and “Defrost V2” versions are being investigated for hacking.
- The hacker manipulated the LSWUSDC share price to the extent of almost $173,000 in profit.
The Avalanche blockchain-based decentralized leveraged trading platform Defrost Finance revealed that both of its “Defrost V1” and “Defrost V2” versions are under investigation for hacking. Investors had reported losing their staked Defrost Finance (MELT) and Avalanche (AVAX) tokens from their MetaMask wallets when the announcement was made.
A blockchain security company called Peckshield tweeted specifics about the attack on Friday. According to the company, the hacker took advantage of “the lack of a reentrancy lock” in the flashloan/deposit function of the DeFi protocol.
Reentrancy attacks happen when malicious parties take advantage of a flawed smart contract. The exploited smart contract sends money to a wallet address specified by the person who created the unauthorized smart contract via a malicious smart contract.
Defrost Finance team revealed that Defrost V2 had been targeted by a flash loan attack shortly after a few users voiced their concerns about the odd loss of funds. Defrost V1 was not thought to have been affected at the time. Thus, the platform chose to shut down V2 while it conducted additional research.
The platform chose to shut down Defrost V2 at the time because it thought the breach had not impacted Defrost V1.
According to blockchain researcher PeckShield, the hacker gained over $173,000 by manipulating the share price of LSWUSDC. After additional examination, PeckShield’s study showed:
“Our analysis shows a fake collateral token is added, and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”
Despite the company’s proactive announcement of the hack, the neighborhood believes there may have been a rug-pull going on. Defrost V1 was first reported to be unaffected by the hack since it lacked a flash loan feature. However, the platform eventually recognized that V1 was also in an emergency and stated:
“Our team is currently investigating. We kindly ask the community to wait for updates and refrain from using either the V1 or V2 for the moment.”
Investors are advised not to use Defrost Finance any longer. An internal team is looking into the matter right now and will contact users via authorized methods.
Numerous DeFi projects have continued to be attacked by malicious parties. For instance, the Raydium liquidity provider in Solana, California, suffered a $2 million hack last week. The hacker attacked by seizing control of the project’s “owner authority.”
Ankr and Helio, two DeFi platforms, lost a combined $20 million earlier this month. However, Ankr’s $3 million was later recovered.
