Avalanche-based leveraged trading platform Defrost Finance announced on Dec. 24 that its V2 version was hacked due to a flash loan exploit.
“As the team digs further, please be aware that the V1 is unaffected – the first version of Defrost has no flash loan function,” tweeted the company.
According to blockchain security firm PechShied, the hack was caused by a lack of reentrancy lock for the flashloan()/deposit() functions and cost the firm around $173k.
A day later, on Dec. 25, Defrost again tweeted, saying that its V1 version had also suffered a much larger exploit as the attacker managed to steal the owner key.
Even though the protocol couldn’t confirm if it was the same hacker responsible for the V1 hack, Defrost confirmed it would keep investigating.
“We will keep on investigating and all relevant information will be shared with the community. We are thankful to the Defrost community for their ongoing support at this difficult time,” tweeted the company.
While the team at Defrost Finance continued with the updates, the community suspects an intentional rug pull presented as an exploit.
PeckShield confirmed an intel warning of a $12 million rug pull at Defrost that used a malicious price oracle to liquidate the current users.
Web3 security firm DeFiYield said it had audited Defrost about a year ago and highlighted the smart contract vulnerability that led to the exploit. The trading protocol used the same exploit to rug pull its users.
Meanwhile, Defrost Finance tweeted that its willing to negotiate with the hackers and offered a 20% bounty in exchange for the stolen funds.