On Thursday, a hacker ran off with $16 million from decentralized finance (DeFi) project Indexed Finance—but now the protocol’s team says they know who the attacker is.
Indexed Finance is a DeFi project built on Ethereum. It produces tokens that track market indexes. A hacker took the assets that were backing the value of the index tokens by finding a vulnerability in the protocol’s smart contracts.
The attack was typical of DeFi exploits: the hacker took advantage of the flash loan mechanism by overloading the protocol with new assets. This lowered the price of the Indexed tokens, which then allowed the attacker to mint new ones and cash them out.
Now, two out of six assets in the protocol, DEFI5 and CC10 (both index tokens that track large DeFi projects), have lost most of their value.
DEF15 dropped by 85% an hour after the hack—from $88.73 to $3.67, according to CoinGecko data. CC10 lost 98% of its value; before the hack it was trading for $62.50 but afterward it dropped to $0.74.
Three other index tokens, DEGEN, NFTP and ORCL5, are safe, Laurence Day, a 32-year-old contributor and member of the Indexed DAO told Decrypt. The sixth asset, FFF, a meta index that contains DEFI5 and CC10, was badly damaged and will need to end in its current form. He added that a compensation plan will be put together.
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified.https://t.co/am2XnwL5fD
— Indexed Finance (@ndxfi) October 16, 2021
But members of the DAO have since put the breaks on the conditions, they said via Twitter, because they found out the hacker was “significantly younger than we thought.”
Day told Decrypt that the project was in a “desperately tense situation” and was still figuring out what to do next. He would not tell Decrypt if they were negotiating with the hacker.
But he said that several people on the protocol’s team had verified who the hacker was—and it was now up to him to return the funds. “This is a choice which is now in the hands of the attacker,” he wrote.
The ultimatum has not been met.
In the minutes before the deadline elapsed, @ZetaZeroes made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought.
— Indexed Finance (@ndxfi) October 17, 2021
Day did not add whether they would contact law enforcement today.
DeFi, or decentralized finance, is a catch-all term for projects that want to automate traditional financial tools, like banks. They aim to provide loans, interest, and asset swaps without banks or other intermediaries via smart contracts—bits of code that carry out instructions. Most are built on Ethereum, the blockchain that houses the second-biggest cryptocurrency by market cap.
But DeFi is an experimental industry—the protocols are very new—and it is prone to hacks. Indexed is not the first to suffer such a big exploit. The list of DeFi hacks this year is long but last month alone pNetwork lost $12.5 million and an NFT project called Vee Finance suffered a $35 million exploit.
And in August, a hacker ran off with $25 million from lending and borrowing platform Cream Finance.
Many projects have been able to recuperate some of the stolen funds. But the huge hacks happening each month are a reminder that the space is new, experimental and risky.
Laurence added that the DeFi space needs auditors to prevent hacks and added that “the talent pool in the space is desperately thin.”