Defrost Finance Denies Rug Pull Allegations Amid $12M Exploit

The team behind Defrost Finance, an Avalanche-based DeFi protocol, has pushed back on claims that they ‘rug-pulled’ the project after $12 million was siphoned out of the smart contract last week.

Blockchain security company DeFiYieldSec this week alleged that the apparent exploit was an inside job, most recently saying that the creator of Defrost Finance’s multi-sig wallet was the same address that requested the oracle to be replaced before the exploit occurred. Defrost Finance adamantly denied these claims, labeling them as “slanderous and inaccurate.”

The first of two attacks targeted the V2 contract with a flashloan re-entrancy exploit, a Defrost Finance spokesperson told CoinDesk.

The far-larger second attack occurred on Christmas Eve, the spokesperson continued, with another hacker or hackers “[managing] to appropriate the private key and used it to add a fake collateral token and price oracle, then minted 100 million H20 tokens … The hacker then liquidated the existing vaults by manipulating the vaults’ oracles and draining funds.”

Exploits involving price oracles have become more prevalent this year, with an oracle tied to Mango Markets being manipulated in October by crypto investor Avraham Eisenberg, who was arrested in Puerto Rico for the attack last week.

The Mango Markets exploit resulted in a $114 million loss, although Eisenberg returned $67 million shortly after the attack occurred.

In this case, Defrost Finance claims it retrieved all of the funds on Dec. 26 after offering a bounty to the hacker.

The Defrost Finance team, the group also behind failed DeFi protocol Phoenix Finance, said it is “very optimistic” all impacted users will be reimbursed.