Key Takeaways

  • A hacker has drained over $16 million from index pools on Indexed Finance.
  • The exploit worked by tricking the algorithm governing the pools into calculating the pool’s value much lower than it should have been.
  • Despite two independent security experts reviewing the protocol’s smart contracts, the vulnerabilities were not discovered.

Share this article

Indexed Finance has lost over $16 million worth of users’ assets after a hacker exploited a vulnerability in the protocol’s smart contracts.  

Indexed Finance Exploited

A hacker has found a way to game Indexed Finance’s smart contracts. 

The exploit, which took place Thursday evening, saw a hacker drain over $16 million worth of assets from two Indexed Finance indices. 

The hacker took funds from the DEFI5 and CC10 pools by attacking the smart contract code governing how the pools calculate the value of deposited assets. By pumping flash-loaned assets into the pools in exchange for UNI tokens, the hacker managed to trick the algorithm into calculating the pool’s value much lower than it should have been. 

This allowed the hacker to mint huge quantities of the pool’s index tokens which were then burned to claim the underlying assets. After the hacker paid off the initial flash loans, they managed to escape with $11 million worth of assets from the DEFI5 pool and a further $5 million from the CC10 pool. 

Following the exploit, the Indexed Finance team quickly assessed the situation and put out a post-mortem, breaking down how the exploit happened and apologizing to the community. Additionally, the protocol’s developers have already suggested a way to stop the exploit from happening again, commenting:

“We will modify the controller smart contracts to remove the approximate value function and replace it with one that takes the combined value of the balances held by a pool in every token it owns.”

It is important to note that two independent security experts audited the Indexed Finance smart contracts before the protocol deployed them. Both Daniel Luca, a former auditor for Consensys diligence, and Mudit Gupta, current core developer for Sushi, reviewed the contracts but could not spot the vulnerabilities. 

Index Finance is a DeFi protocol that allows users to invest in various cryptocurrency-based indexes. Each index pool allows users to freely trade between the index token and the underlying assets, a feature that the hacker managed to exploit. 

The Indexed Finance team has yet to announce a plan to compensate users for their lost assets, stating that they will have a proposal ready soon. 

Indexed finance joins a long list of DeFi protocols to suffer exploits this year. While some hacks, such as the $600 million Poly Network exploit, resulted in the hacker eventually returning the stolen funds, many cannot recover their assets. Judging by the complexity of the Indexed Finance exploit, it seems unlikely that the hacker will return the funds this time. 

Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and several other cryptocurrencies. 

Share this article