- DeFi protocol Indexed Finance suffered losses worth $16 million after hack.
- The firm stated it has identified the attacker but haven’t shared any information as to hacker’s identity yet.
NEW DELHI (CoinChapter.com) — Indexed Finance, a DeFi protocol for passive portfolio management, lost $16 million following the hacking of its indices: DEFI 5 and CC10.
The attack exploited Indexed’s index pool rebalancing mechanism by tricking the pool governing algorithm into miscalculating the pool’s value. The hacker pumped flash-loaned assets into the pools in exchange for UNI tokens to trick the algorithm.
When the attacker executed a minimum balance update on the controller, it approximated the value of the entire pool as roughly $300,000. In reality, the pool had received over $100 million worth of other assets. The attacker then proceeded to mint new Indexed tokens.
Next, the attacker burned the index tokens to claim the underlying assets. After paying off the initial flash loans, the hacker managed to steal $11 million from DEFI5 and a further $5 million from the CC10 pool.
Indexed Finance is a DeFi protocol that allows users to invest in various cryptocurrency-based indexes. In addition, users can freely trade between the index token and the underlying assets.
In a surprising turn of events, or maybe a lack of expertise on the hacker’s part, Indexed finance announced it had identified the hacker responsible for the theft.
In a post on HackMD, Laurence E. Day, a member of Indexed Finance’s core team, highlighted how the firm identified the hacker, know by aliases BogHolder/tensors/UmbralUpsilon/ZetaZeroes, as being the perp. Furthermore, the post included an injunction, warning the hacker to return 90% of the stolen funds to avoid legal repercussions.
DeFi aims to decentralize traditional financial tools, like provide loans, interest, etc., via smart contracts. However, DeFi is prone to hacks. In the first seven months of 2021, the DeFi sector lost $474 million to frauds alone, while last month, pNetwork lost $12.5 million to hackers.
Updates on the Indexed Finance Hack
The assets targeted lost most of their value in hours, with DEFI5 dropping by 95.72%, going from $88.73 on Oct 16 to $3.79 on Oct 18. Meanwhile, CC10, a market-cap-weighted index of the top-10 cryptocurrencies, declined 98%, going from $62.50 to $0.74 in an hour.
At present, CC10 is down nearly 100%, trading at $0.00000687. Furthermore, FFF, a meta index that contains DEFI5 and CC10, would likely have to end its current form. However, officials from Indexed Finance stated that the firm would compensate investors for their losses.
Indexed Finance assured three other pools, DEGEN, NFTP, and ORCL5 are safe from assault. However, the firm also informed investors buying the dip in DEFI5, CC10, and FFF not to expect a rebound and warned investors who were planning to buy to abandon the idea.
After Indexed Finance gave their ultimatum, another tweet from Indexed DAO member Laurence Day suggests the attacker might be from Canada. However, it is just speculation at the time, as Indexed Finance put the brakes on its plans to reveal the attacker’s identity.
Indexed Finance then gave the attacker another ultimatum, stating that the previous offer of 10% in rewards had expired, adding that the attacker had till Saturday midnight to return all the stolen funds. Otherwise, Indexed promised to take legal action.
However, Indexed DAO later pulled back from sharing details of the hacker. Instead, the firm said new evidence suggests the hacker might be ‘significantly younger than we thought.’
As such, the firm discussed the way forward, putting the information dump on hold until they reassessed the situation. The DeFi protocols governing body also said it was now up to the hacker to return the funds.