Defrost Finance

2021-05-17

FinNexus (Phoenix Finance), a DeFi options protocol allegedly operated by the same team, is exploited for approximately $7.6 million via a private key compromise and token minting attack.

2021-09-01

Defrost Finance launches on Avalanche. De.Fi Security later alleged that project deployment was partially funded by proceeds from the 2021 FinNexus exploit.

2022-02-01

Defrost Finance TVL peaks at approximately $95 million.

2022-12-23

First attack: Flash loan exploit on Defrost V2 drains approximately $173,000 by exploiting a reentrancy vulnerability in the flashloan/deposit functions.

2022-12-24

Second attack: Defrost V1 is exploited via admin owner key access; attacker inserts a fake collateral token and malicious price oracle, mints 100 million H2O, and liquidates user positions. Total losses reach approximately $12 million.

2022-12-25

CoinDesk and PeckShield report on the exploit. PeckShield states the attack 'may have been a rug pull.' Defrost TVL drops from $13 million to under $93,000.

2022-12-26

CertiK publicly labels Defrost Finance an 'exit scam,' citing inability to contact team members. Defrost Finance announces funds from V1 attack have been returned.

2022-12-28

Defrost Finance team breaks silence with a statement denying rug pull allegations, characterizing the event as an external private key compromise.

2022-12-30

De.Fi Security publishes on-chain analysis alleging the multisig wallet creator is the same address that initiated the malicious oracle replacement, and connecting Defrost team to the 2021 FinNexus exploit.

2023-01-11

Defrost Finance deploys refund smart contract. Affected V1 vault depositors and H2O holders become eligible to claim stablecoin reimbursements based on pre-exploit positions.