Defrost Finance Flash Loan Attacks Cost Users Over $12 Million.
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
PeckShield, a blockchain security monitoring company, confirmed that a flash loan attack on Defrost Finance cost users more than $12 million. Defrost Finance, a decentralized leveraged trading platform built on the Avalanche blockchain is being probed for hacking in its Defrost v1 and Defrost v2 versions.
BREAKING: DeFi flash loan hacker liquidates Defrost Finance users causing $12 Million loss.
— CoinHub (@CoinHubCC) December 25, 2022
Investor claims that they misplaced their invested Defrost Finance (MELT) and Avalanche tokens from MetaMask wallets prompted this latest disclosure. Consumers lost more than $12 million as a result of a flash loan attack at Defrost Finance, according to blockchain security firm PeckShield.
Meanwhile, Doran, a member of Defrost Finance’s core team, admitted that Defrost v2 had been targeted by a flash loan attack shortly after a few users expressed concern about the unusual loss of cash.
DeFi flash loan hacker liquidates Defrost Finance users causing $12M loss
Moments after a few users complained about the unusual loss of funds, Defrost Finance’s core team member Doran confirmed that Defrost V2 was hit with a flash loan attack. pic.twitter.com/TiDFHKuwOC— Mr Legend Crypto (@mrlegendcrypto) December 25, 2022
Thereby, the platform made the decision to shut down version 2 while doing more research since it thought Defrost version 1 was unaffected at the time.
Defrost V1 and V2 are Being Investigated
As previously stated, Defrost Finance launched an investigation into a possible attack on its Defrost V1 and V2 platforms after a few customers reported significant losses in their accounts. Doran, a key team member, advised people not to use Defrost V2 over Telegram.
The hacker went after MetaMask Wallets, which held users’ staked Defrost Finance (MELT) and Avalanche (AVAX) tokens.
Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.
The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.
Updates will be posted on our official channels.
— Defrost Finance 🔺 (@Defrost_Finance) December 24, 2022
Defrost Finance also sent a message through Doran saying that their Defrost V1 was also being attacked and telling users to take money out of the protocol to prevent future losses.
On the other side, PerkShield’s preliminary study revealed an attack that could be used by manipulating the flash loan and deposit functionalities and was made possible by the absence of a reentrancy lock. The hacker utilized the option to change the share price of LSWUSDC. The hacker had made almost $173,000 at the time.
The @Defrost_Finance is exploited, leading to the gain of ~$173k for the hacker. The hack is made possible due to the lack of reentrancy lock for the flashloan()/deposit() functions, which was used by the hacker to manipulate the share price of LSWUSDC. pic.twitter.com/SINHUZXC0D
— PeckShieldAlert (@PeckShieldAlert) December 23, 2022
According to additional research, the hacker created a fake collateral token and used a bogus pricing mechanism to liquidate platform users. Hence, the incident is estimated to have cost more than $12 million in losses.
It is worth mentioning that Defrost Finance is an entirely transparent trading platform that uses the Avalanche blockchain. While a team within the firm investigates and addresses the issue, the company has advised its investors to refrain from using its platform.
The Defrost team is willing to negotiate with the hacker(s).
We are willing to discuss sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap.
— Defrost Finance 🔺 (@Defrost_Finance) December 25, 2022
Flash Loan Attacks are Common
Hackers launched a flash loan attack on December 10 to get access to Lodestar Finance, an arbitrum-based borrowing protocol. Lodestar claims that the attacker overstated the plvGLP token before utilizing the duped token to borrow all of the network’s available liquidity.
The Vulnerability in Lodestar Finance Was Used via a Flash Loan Attack#cryptocurrency #plutusdao #lodestar #arbitrum #flashloan #exploithttps://t.co/TjT4v2nhwl pic.twitter.com/GUyr7D6Ecc
— BitFinsider (@BitFinsider) December 12, 2022
Although the burglar took more than $5.8 million, Lodestar confirmed repaying almost $2.8 million, helping depositors get their money back.