DeFi project Indexed Finance loses $16 million in hacker attack

An unknown actor siphoned assets worth about $16 million from the liquidity pools of the DeFi project Indexed Finance; the developers said the hacker exploited a vulnerability in the rebalancing mechanism.

Indexed Attack Post-Mortem:https://t.co/ASWB8PlcU0

— Indexed Finance (@ndxfi) October 15, 2021

Indexed Finance offers users access to digital indices focused on the cryptocurrency industry. These instruments are tokens of the ERC-20 standard, placed in liquidity pools managed by a fork of the Balancer protocol. To calculate the ratio, prices and asset movements, the project uses the Uniswap oracle.

According to the developers, the attack affected two indexes — DEFI5 and CC10. To execute it, the attacker used instant loans.

At the time of the attack, the DEFI5 pool was ready for reindexing, since any user could trigger it after three rebalances, which occur weekly. The native Uniswap token (UNI) was the first “initialized” (the token balance corresponds to its weight) asset suitable for estimating the approximate value of the entire pool.

The hacker added the protocol’s native SushiSwap token (SUSHI) to the pool — during reindexing the Indexed Finance mechanism allowed a minimum balance for the asset of 11,926 SUSHI (~$126,000 at the time of the attack).

Next, the attacker exploited the instant loans feature on SushiSwap and Uniswap V2. He obtained UNI, AAVE, COMP, CRV, MKR and SNX tokens with a total value of $156 million and deposited them into the DEFI5 pool. All of these assets were initialized.

The borrowed assets were used by the hacker to purchase UNI from the pool. Due to native limitations of Indexed Finance, the transaction had to be broken into several transactions.

After the hacker had acquired nearly all the UNI tokens, he updated the Index Controller contract, which tracks the value of tokens in the pool and sets “portfolio targets.” Because the UNI balance was very low, the protocol calculated that the approximate pool value was 29,851 SUSHI (~$300,000), even though he had obtained assets worth more than $100 million.

The UNI acquired by the hacker were used to issue DEFI5 tokens. The borrowed SUSHI were also directed to these purposes (the issuance occurred at an inflated valuation). He repeated the manipulations several times.

After that, he repaid the flash loans and obtained assets worth about $11 million. The attack on the CC10 pool was carried out in the same way. He extracted around $5 million from it.

Indexed Finance called the incident “devastating” for the project and noted that they knew how to fix the vulnerability. The team was also offered help from “esteemed Ethereum developers.”

The project administration will discuss with the community the process of compensating the victims. It will seek guidance from protocols that have faced similar situations.

Earlier in September, an unknown hacker breached the lending platform Vee.Finance and withdrew tokenized Bitcoin and Ethereum worth about $35 million.