In December 2022, the Defrost DeFi protocol was the victim of a hack. The attack — which may have been a flash loan attack or an exit scam — netted the attacker an estimated $12 million in tokens that were later returned to the protocol.
Inside the Attack
The attack began with a flashloan attack against v2 of the Defrost Finance protocol. Using a flashloan, the attacker was able to manipulate the price of LSWUSDC used by the project. As a result of this manipulation, the attacker drained approximately $173,000 from the protocol.
A follow-on attack targeted v1 of the protocol. In this case, the attacker gained access to the owner key for the project, allowing them to add a fake collateral token and price oracle to the project and mint 100 million H20 tokens. Using the fake price oracle, the attacker was then able to liquidate these tokens to drain USDT tokens from the protocol.
The second attack was believed to be a rug pull due to the use of the project’s private keys to add the malicious token and price oracle. The stolen assets were later returned to the protocol, and the project is working to redistribute them.
Lessons Learned From the Attack
The Defrost Finance project was targeted by two attacks allegedly by different attackers. A lack of reentrancy protection on flashloan functions allowed one attack against the protocol, and a lack of proper protection of private keys — or an inside job — made the other possible.
Security weaknesses such as lack of reentrancy protection and a failure to protect projects with multi-signature addresses are well-known vulnerabilities that can be identified and remediated as part of a security audit. To learn more about protecting your smart contracts, reach out to our Web3 security experts at halborn@protonmail.com.