Blockchain security watch firm PeckShield confirmed a flash loan attack in Defrost Finance has led to users losing more than $12 million.
Defrost V1 and V2 under investigation
After a few users complained about significant losses in their accounts, Defrost Finance announced an investigation into a possible hack on its Defrost V1 and V2 platforms. Doran, a core team member, informed the users to refrain from using Defrost V2 through Telegram.
At first, the platform thought only Defrost V2 was under attack and decided to shut it down to protect users. The hacker targeted MetaMask Wallets housing users’ staked Defrost Finance (MELT) and Avalanche (AVAX) tokens.
In another announcement, Defrost Finance, through Doran, announced its Defrost V1 was also under attack and advised users to withdraw funds in the protocol to avoid further losses.
An initial analysis by PerkShield showed an exploit through manipulation of the flash loan and deposit functions which was possible due to a lack of a reentrancy lock. The hacker used the option to tamper with LSWUSDC’s share price. At the time, the hacker had gained about $173,000.
Further analysis showed the hacker introduced a face collateral token and used a malicious price oracle to liquidate users in the platform. Losses resulting from the hack are estimated to be more than $12 million.
Defrost Finance is an entirely fair launch trading platform operating in Avalanche blockchain. The company has advised its investors to stop using its platform as the internal team works towards investigating and resolving the issue.
The community did not take Defrost Finance’s announcement literally but viewed it as a tug-of-war situation. The attackers are holding an essential part of the platform, which calls for immediate actions that might save the situation. The management of Defrost Finance is ready to settle with the attackers, thus announcing an offer to hackers in the latest developments.
Frequency of flash loan attacks
On December 10, attackers infiltrated Arbitrum-based borrowing protocol, Lodestar Finance, through a flash loan attack. According to Lodestar, the attacker overstated the plvGLP token and then used the manipulated token to borrow the entire network’s available supply of liquidity. The attacker took more than $5.8 million, but Lodestar confirmed reverting about $2.8 million that helped repay depositors.