A Criminal Hacked Indexed Finance and Withdrew $16 Million

Another DeFi project, Indexed Finance was subjected to a hacker attack by unknown persons who stole assets of about $16 million from liquidity pools and brought down the capitalization of the project.

However, at this time the Indexed Finance DeFi project team has stated that they already figured out who conducted the hack.

Recently, a hacker controlled the Tor network to steal cryptocurrency. If you’ve missed the news, you can read about it here.

What is Indexed Finance?

Indexed Finance is a DeFi project built on Ethereum. It produces tokens that track market indices. It was these tokens that a hacker cashed in on. They manipulated the value of the index tokens by discovering a vulnerability in the protocol’s smart contracts.

What is the Indexed Finance?

This marks the first time Indexed has been hacked since its launch last December, but the consequences for the project are extremely serious – assets worth more than $16 million have been withdrawn. By the way, the NDX token cost about $3.20–$3.44 on the eve of the incident. After the news about the company’s hacking appeared, the project’s capitalization fell by almost 50%. 

The first buy-off support was at $2.80, but it did not last long; the price continued to fall to $2.36 and reached $2.16. Thus, in addition to the loss from the withdrawn assets, capitalization fell by 48%.

Since that time there is an increase in the value of NDX ($2.33), but it is impossible to predict the further movement of the coin.

Hackers broke into 150,000 cameras worldwide. Learn more here.

Attack details

According to the developers, the target of the attack was two indexes – DEFI5 and CC10. Additionally, the attacker took advantage of the vulnerability of rebalancing pools. The Indexed Finance protocol offers users the management of a DeFi portfolio similar to exchange-traded funds and indices with assets under management.

Assets were withdrawn, probably due to a vulnerability in the rebalancing of index pools. When a token is added to the index pool, the approximate values of Uniswap oracles are used to evaluate the token in the load balancer pool. This is necessary to speed up transactions and limit interaction with external markets. 

The attackers clearly calculated the minimum balance in the controller since they bought almost all the UNI in the pool, after which they paid themselves urgent loans with assets of $11,000,000.

The Indexed Finance’s attack details

On average, every 45 seconds UK companies are subjected to a hacker attack. Find out the details here.

The developers have fully tracked the hackers’ actions, and intend to fix the contract to prevent similar attacks. In addition, the functions of approximate values will be removed, and the possibility of reindexing and updating the minimum balance. Many leading Ethereum developers assisted the project team and began testing the new code before implementing it in Indexed. 

The issue of compensation for people who have lost funds will be discussed with the community. No compensation proposals have been received from the management, and internal proceedings are expected to be completed.

Hackers even know how to bypass 3D secure. Read more here.


Leave a Reply

Leave a comment

Your email address will not be published.