Decentralized finance (DeFi) protocol Indexed Finance has reported that it’s become the latest victim of an exploit that resulted in a substantial loss of assets. On Oct. 15, Indexed Finance reported that it had suffered its first hack since protocol deployment in December, losing around $16 million in various DeFi tokens which it described as “devastating.”
Two of its indexes, DEFI5 and CC10, were targeted in the sophisticated attack which exploited the way index pools are rebalanced according to the post mortem report.
Indexed Finance offers portfolio management and is similar to exchange-traded funds and indexes with assets under management tracking the underlying assets’ performance.
Balanced DeFi pools targeted
Indexed uses pools of assets similar to Balancer with different weights of each token in the pool or index. It uses a Uniswap oracle to approximate prices and dynamically balances the pool token weightings.
The attacker took advantage of this rebalancing mechanism on the DEFI5 pool by taking out $156 million in flash swaps of the pool tokens UNI, AAVE, COMP, CRV, MKR, and SNX. It manipulated the pool weightings by adding a new token SUSHI, to control the majority weight of the pool.
The malicious contract used all of the borrowed assets to purchase UNI from the pool in chunks. The attacker executed a minimum balance update on the controller and because the UNI had been removed, it was calculated in SUSHI.
The previously purchased UNI was then used to mint new DEFI5 resulting in the pool supply being inflated by orders of magnitude. The borrowed SUSHI allowed the attacker to mint additional DEFI5 at the extremely inflated valuation. which they burned and made off with the underlying assets. The process was repeated several times before moving on to carry out the same attack on the CC10 pool before repaying the flash loans.
Security firm PeckShield reported that the attacker had stolen 15 ETH, 226.9K UNI, 7.5K AAVE, 6.4K COMP, 845.8K CRV, 516 MKR, 45.4K SNX, 33.2K LINK, 5.2K YFI, 17.8K UMA, and 131.6K BAT totaling around $16 million.
Indexed stated that it will discuss reimbursements and how to move forward with the community while it works on patching the vulnerability.
NDX token dumps
Unsurprisingly, the protocol’s native NDX token has dumped 27% from $3.35 to $2.43 where it currently trades according to CoinGecko.
NDX, which has been trading between $2.50 and $4 for the past three months is now down 91% from its Feb 4 all-time high of $27.71.
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.