Trusted

Defrost Finance Recovered $12 Million in Stolen Funds

3 mins
Updated by Ali Martinez
Join our Trading Community on Telegram

In Brief

  • Recent DeFi hacks reveal that code audits alone do not guarantee a user's safety.
  • Two firms audited by CertiK were recently hacked for $14 million despite undergoing rigorous code audits.
  • Coinbase CEO Brian Armstrong says that the government should allow DeFi to self-regulate.
  • promo

Ecological stablecoin project Defrost Finance will return $12 million in funds stolen through Dec. 23, 2022, exploit, despite undergoing a code audit by CertiK.

Defrost will use on-chain data to ensure the correct allocation of the stolen funds. The refund comes after an attacker exploited flaws in multiple Defrost smart contracts. Blockchain security firm Peckshield initially reported the attack on Dec. 23, 2022.

Defrost Clients Lose $12 Million

The hacker reportedly drained $173,000 through a flash loan attack leveled at Defrost’s V1 protocol. In a more significant V2 attack, a perpetrator stole $12 million by liquidating users’ positions through a fake collateral token and a malicious price oracle. Attackers later allegedly stole $1.4 million from cross-chain tech aggregator Rubic Finance, raising concerns about vulnerabilities in smart contract code.

Liquidations occur in DeFi when the value of a user’s collateral falls below a lending protocol’s minimum loan-to-value ratio. Stablecoin protocols like Defrost allow users to deposit collateral for a perpetual stablecoin loan. The protocol uses an algorithmically-adjusted stability fee to set the loan’s interest. The introduction of fake collateral to V2 likely compromised Defrost users’ loan-to-value ratios, leading to their liquidations.

CertiK Audits Reveal Centralization Issues

Both hacks have drawn attention to the conclusions that can be drawn from smart contract code audits when assessing the legitimacy of a DeFi project. Blockchain security firm CertiK was implicated in both hacks, with Defrost and Rubic having undergone code audits by the company. 

CertiK audited Defrost V1’s smart contracts in Nov. 2021, listing a critical logic issue and five issues relating to centralization. The former had been resolved at press time, while the latter was acknowledged without evidence of further work. A logic issue, colloquially referred to as a ‘bug,’ allows smart contracts to operate incorrectly without crashing. On the other hand, a centralization issue can cause the compromise of several entities if a hacker gains access to a shared code block or variable.

CertiK also unearthed several centralization issues in Rubic Finance’s SwapContract smart contract, one of which would enable a hacker to withdraw ETH/BNB and other tokens to the hacker’s address.

Audits Don’t Replace Common Sense

Rather than endorsing a project or its assets, CertiK tests smart contracts’ resilience to various attack vectors. It also assesses the contracts’ compliance with acceptable coding standards and compares a project’s smart contracts to those produced by industry leaders. 

Careful scrutiny of CertiK’s website reveals that the company only audits code provided by the DeFi protocol. It advises interested investors to conduct their own due diligence. Additionally, its reports contain the following disclaimer:

“CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies, and in no way claims any guarantee of security or functionality of the technology we agree to analyze.”

While not the complete picture, these reports can provide insight into a project’s risks, helping to inform interested parties about a project. Any proposed changes to the smart contract code can undergo a protocol’s standard voting procedure without government intervention

Coinbase CEO Brian Armstrong advocates that DeFi protocols be protected by free speech in the United States rather than be regulated by laws governing financial services businesses.

For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.

Top crypto projects in the US | November 2024
Coinrule Coinrule Explore
Coinbase Coinbase Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024
Coinrule Coinrule Explore
Coinbase Coinbase Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

David-Thomas.jpg
David Thomas
David Thomas graduated from the University of Kwa-Zulu Natal in Durban, South Africa, with an Honors degree in electronic engineering. He worked as an engineer for eight years, developing software for industrial processes at South African automation specialist Autotronix (Pty) Ltd., mining control systems for AngloGold Ashanti, and consumer products at Inhep Digital Security, a domestic security company wholly owned by Swedish conglomerate Assa Abloy. He has experience writing software in C...
READ FULL BIO
Sponsored
Sponsored