On Dec. 26, blockchain security firm CertiK issued a warning alleging that Defrost Finance, a decentralized leverage-trading platform on the Avalanche blockchain that recently suffered an exploit, is an “exit scam.” The move came just as Defrost announced that “the hacker involved in the V1 hack [but not the v2 hack] has returned the funds.” CertiK wrote

“On 24 December we have seen an #exitscam on @Defrost_Finance. We have attempted to contact multiple members of the team but have had no response. The team are not KYC’d but we are using all the information that we do have to assist with authorities.”

On Dec. 23, Defrost Finance suffered a flash loan attack that drained protocol users of $12 million in assets on its v1 and v2 protocols. Immediately after the exploit, blockchain analytics firm PeckShield also issued a warning, alleging the operation was a “rugpull”:

“We received community intel warning the rugpull of @Defrost_Finance.Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”

In a brief post-mortem analysis, project developers said that hackers also managed to steal the owner key for a much larger attack on its v1 protocol than the flash loan exploit. Defrost has offered to negotiate “sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap.”

After posting an Ethereum wallet address on its social page, close to $3 million worth of digital assets had been transferred there at the time of publication. In a Medium post published hours later, Defrost explained that the v1 hacker had returned the stolen funds to an address controlled by the project developers.

“We will soon start scanning the data on-chain to find out who owned what prior to the hack in order to return them to the rightful owners. As different users had variable proportions of assets and debt, this process might take a little. However, it will be concluded fairly swiftly.”
CertiK's Skynet alert for Defrost. Source: CertiK

This is a developing story and will be updated accordingly.

Update (Dec. 26 at 3:50 pm UTC): Added information from Derost regarding the return of funds from the v1 attacker