The MOST EVIL Crypto SCAM: Boris and Bob Rug-Pulled $19mln

Yesterday, we published the first part of our investigation on the Defrost Finance Rug Pull. The entire De.Fi’s security department has been investigating the Rug Pull of Defrost Finance, the people who are behind it, and collecting all on/off-chain data. We present to you the NEW and the FINAL part of Defrost Finance Saga.

Since we published the first part, we have gathered much more information about the people behind Defrost Finance and the way the project was funded. That’s why we are now going out with the 2nd part of the Defrost Saga — One of the Most Evil Crypto Scam: Rug Pulled Defrost Finance and its Connection to Criminal Money.

We have spent 2 years on creating the Largest Crypto Hacks Database with more than 3,160 hacks added and manually verified by our on-chain researchers and Solidity engineers. Our on-chain investigations have been mentioned by Forbes, Bloomberg, Wall Street Journal, and Blockworks.

We thought that we had already seen every type of Rug Pull and Scam possible.

But then Defrost Finance happened, and decided to make a little Christmas gift for its Community — rug pull them for $12M.

The way they have done this might be the most sneaky way to rug pull users that DeFi has ever seen.

How it started:

On December 24th, the World has seen the following tweet by Defrost Finance:

Defrost claimed that their V2 smart contract was exploited, and that attacker used a flash loan to withdraw funds.

However, the V1 contracts had been hacked as well resulting in the $12M loss. The oracle address in the protocol’s collateral vaults was replaced with a malicious one, that triggered liquidations of collateralized user funds.

0x3cd5854fe3a13707b7882d8290d3cae793a7751a — the Address that called setOracleAddress() was added as the Origin address by deployment of the DefrostFactory address:

The creator of the** multisig wallet, which has to approve the oracle replacement function before it executes, is the same address that requested the oracle replacements**:

This is an application for signing the oracle replacement by the multisig:

Addresses that were signing oracle replacements in the protocol’s vaults are:

• 0xF40D59331DCEf16a5E6C4f2E5BCC2cA968DeA619
• 0xEBbE39e3003013753a0109594b9451bcDe625bB7
• 0xbE22766FDd63d4acc60E6c209ef2eAE6DBFC4814

Now, if Defrost Finance claims that the hack happened due to a compromise of the wallets managing the multisig — how is it possible that 4 wallets got compromised at the same time? How were they stored?

This is one of the oracle replacement transactions:

The timeline of Defrost Finance Rug Pull looks like this:

🚨 Connection of all the above mentioned addresses points out the hack was an insider job! 🚨

The funny part?

Exactly 1 month before rug pulling its users using the oracle vulnerability, Defrost Finance has insured themselves with 2 Crypto Insurance Providers: **Insurace and [Degis Insurance](https://mobile.twitter.com/projectdegis)** … against “Oracle Failure”.

What a coincidence! 🤦‍♂️

Official announcement of the cooperation on insurance by Degis:

Now is where things are getting interesting.

So, back to DeFrost. Just as we did previously with Bundles, YFFS, PancakeBunny, Deus, and Alpha Homora cases — we are writing this article to inform the Community about the concerns we have about this project. As a premise, we would directly say that it seems like they are hiding.

But let’s start from the beginning.

Since 2020, we at De.Fi have performed more than 60+ Security Audits, we also analyze the functions / hints if the project retains the ability to scam investors with the following:

• Infinite minting;
• Anti-rug pool functions;
• Minting Exploits;
• Liquidity pooled;
• Transfer Allowlist;
• Owner tampering;
• Backdoor library.

1 year ago, De.Fi released a 120-page audit on Defrost Finance — **click here to see the full pdf file.** On page 33, we’ve stated the following:

“The Origin EOAs can replace the Oracle address. Collateral asset prices in the vaults of Defrost Finance depend on oracle contracts. In case the new oracle is insecure and can cause a sharp and unpredictable change in the price of an asset, this can lead to liquidation of user collaterals.”

We have warned about exactly what happened pn December 24th — the risk associated with the Origin EOAs being replaced with Oracle address in a centralized manner. This is what Defrost Finance used to manipulate with fake oracle and rug pull its users. And warned people about it. Accordingly, it was indicated by **Coindesk**, where the journal has featured our Audit and the warning about the crucial vulnerability that we stated in it:

In total, 151 issues had been detected, 13 of which were Critical and High Risk. Many who read our Audit and were able to withdraw their funds from DeFrost were lucky enough to save their funds as a result.

We have got in touch with Defrost Finance team 2 times:

• 1 Year ago, after we’ve performed an Audit on them. Back then we texted them to inform them about all the issues that we’ve found, and asked them to improve the correspondent functions of their smart smart contract. They never responded to us.
• Yesterday, after their rug pull. Have they responded? No.

Defrost Finance got caught.

After PeckShield’s and our investigations that we’ve **posted on Twitter**, it was clear for the Defrost Finance team that they’d been caught, and now there is no way for them to simply launder the funds and live in peace in the Bahamas.

That’s how they started to think of ways of returning funds back to the users.

On the next day after the exploit, they proposed the “hacker” a 20% reward for returning the “stolen” funds:

And on the next day, the “hacker” has returned all the stolen $12M:

Following the bounty hacking industry standard it’s IMPOSSIBLE to get a resolution so fast! The dealing process in the bounty program is much longer!

Moreover:

Why has “the hacker” returned the full amount of $12M? Why haven’t they taken the proposed 20% Bounty? Or have they sent back the “stolen” $12M and hoped that the Defrost Team will return the promised 20% back (unrealistic scenario, but anyway)?

Our question is: can the Defrost Team show to the public the transaction with which they have returned the 20% reward to the hacker?

However, the Developers Behind the Defrost Finance had a more successful RUG PULL in their Career…

DEFROST AND FINNEXUS TEAM

The Developers of Defrost Finance are the same people as the Developers of FinNexus (later it will be rebranded to Phoenix Finance), where the admin key had “leaked”, which resulted in a $7M loss in 2021. Following our research, considering all the inputs, there is a high chance that it was a rug pull, and the private key didn’t just “leak”.

Now we move on to the most interesting part of the entire saga: we believe that people who position themselves as the core team of Defrost Finance are not even real people. Let us explain:

It has become clear that at least 3 developers of Phoenix Finance (a.k.a. FinNexus that has rug pulled for $7M in 2021) and Defrost Finance are the same people. We have found the same profiles behind GitHub repositories of both projects; moreover, it looks like all these accounts are owned by 1 person, who uses the suffix “jqg” in all of their domains:

Now, ask yourself this: would people who are publicly KYC’d behind RUG PULLED (the fact of the rug pull wasn’t 100% clear in 2021, but now it has become clear) FinNexus, and whose identities can be easily found on the Web, start a 2nd project — Defrost Finance, with the same GitHub accounts, knowing, that they want to Rug Pull it too? To do that, you either need to:

• Want to go to jail really bad;
• Make a mistake and use same accounts for Defrost Finance, therefore, accidentally DOX your team, which was planned to be anonymous.

If you carefully check LinkedIn’s of FinNexus Founders, you will notice that those are clearly fake. No activity. No information. No links to previous projects / organizations / companies. Nothing.

Want more evidence of the Defrost Finance team being the same people as the FinNexus team? No problem! Today, after the first part of our investigation went live yesterday, FinNexus’s website went down. What a coincidence!

Yesterday, however, the website was still live. Unfortunately, the latest snapshot of the website taken by the webarchive is November 16th:

At the end, we have the scheme that looks like this:

• Boris Yang’s linkedin: https://www.linkedin.com/in/boris-yang-371297199/ — clearly a fake one;
• Linkedin of Jacky Wang (their Business co-Founder [whatever that means]): https://www.linkedin.com/in/jacky-wang-776458173/ — is clearly fake also;
• Lu Jianqiang linkedin: https://www.linkedin.com/in/%E5%BB%BA%E5%BC%BA-%E5%90%95-4400b5168/ — also fake.

Pay attention to the Tornado Cash Mixer logo that we’ve put near the Defrost Finance (on the scheme above).

You might wonder why we did it? It’s because the deployer of Defrost Finance was funded from the Tornado Cash mixer on Avalanche. Now, ask yourself: as a Founder of a Tier-1 Avalanche Project (at all time highs, Defrost had $120M TVL), would you want to DEPLOY your DAPP with funds from Tornado Cash, unless there is something you want to hide (for example the source of your income?)

It’s very likely that it was needed to hide the fact that funds used to deploy Defrost Finance were the SAME funds Defrost Finance’s Founders stole from FinNexus Finance in the 2021 Rug Pull

All three multisig signers were funded by one address:

• https://snowtrace.io/tx/0x0f3442385e191501d86efa89a1730df84223a5cb709f59e164398b78abfa217e
• https://snowtrace.io/tx/0x5c6cf35f4560f8097f5a983e30013700651e71b67097ca25cb7ee87d63a53cf2
• https://snowtrace.io/tx/0x93e9385f24fd09303442171296e2803b94ab1bdcedffc09ad00e14b90f7d5a57

The address on the screenshots above (that was sending funds to all 3 Defrost’s multisig signers), clearly belongs to Tornado Cash Mixer:

The connection between Phoenix Finance (FinNexus) and Defrost Finance can be found on Defrost’s GitHub, in the following repository:

AFTER-RUG-BEHAVIOR

In our First Article, we provided all the data needed to prove the rug pull fact behindDefrost Finance’s $12M scam, showing the connection between Defrost Finance and Finnexus (the project rug pulled in 2021 and then rebranded to Phoenix Finance).

Today, our research got featured on CoinTelegraph: https://cointelegraph.com/news/defrost-finance-breaks-silence-on-exit-scam-accusations-denies-rug-pull

After this, we got in touch with the Defrost Team asking them to KYC again. Unfortunately, no reply has come from its founders.

What Defrost Finance started doing instead is just banning everyone sending the link to this article in their chat and they are seen lying about the “private key getting compromised” — nonsense.

The victims of Defrost’s Rug Pull have united in a Telegram chat, where they dig into the case deeper:

We have also chatted with a user who claim to be the largest holder of Defrost Finance V1. Now he is hoping for the refund:

CONCLUSION

De.Fi has been fighting DeFi Scams for years, as our main goal is for DeFi to become a safer and a more convenient place for a retail investor. We believe that only by being safe and fully trustless, DeFi can have mass adoption and then we can finally go Bankless!

That’s why we’ve written the Amazon’s Bestseller: **“The Wall Street Era is Over” — the most comprehensive guide on Web3, and how to safekeep your crypto funds.**

Have comments or opinions? Let us know!

Check out other articles from the Saga series:

• The Deus Finance Saga
• The YFFS Saga
• The Bundles Finance Saga
• Pancake Bunny Saga
• Alpha Homora Saga