DeFi protocol Defrost Finance said that a hacker involved in an exploit last week has now returned the stolen funds, but its audit firm Certik claims that the project attempted an exit scam.

In an update on Monday, the Defrost team said it was “glad to announce” that stolen funds had been returned by an alleged exploiter.

The team behind the Avalanche-based protocol said it was the victim of a flash loan exploit on Dec. 23. In an incident analysis published on Twitter, the team claimed that an attacker first drained funds in V2, followed by a larger attack on V1.

Data from DeFi Llama shows that the protocol lost $12 million following the exploit, with Total Value Locked amounting to around $93,000 at the time of writing.

DeFi Llama

“We are willing to discuss sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap,” tweeted the Defrost team the following day.

Blockchain security experts weren’t convinced by Defrost’s claims that it had been exploited. On Dec. 25, security firm PeckShield Inc said it had received community intel that Defrost has orchestrated a rug pull – a term used to describe a situation where those running the project pull all of its liquidity.

“Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M,” tweeted PeckShield.

A statement from Defrost’s own auditors further evidenced the claims that the alleged exploit was actually an inside job.

Blockchain audit firm Certik accused the project of attempting an exit scam and said that it was assisting authorities with all possible relevant information.