On Thursday, a hacker ran off with $16 million from decentralized finance (DeFi) project Indexed Finance—but now the protocol’s team says they know who the attacker is.
Indexed Finance is a DeFi project built on Ethereum. It produces tokens that track market indexes. A hacker took the assets that were backing the value of the index tokens by finding a vulnerability in the protocol’s smart contracts.
The attack was typical of DeFi exploits: the hacker took advantage of the flash loan mechanism by overloading the protocol with new assets. This lowered the price of the Indexed tokens, which then allowed the attacker to mint new ones and cash them out.
Now, two out of six assets in the protocol, DEFI5 and CC10 (both index tokens that track large DeFi projects), have lost most of their value.
DEF15 dropped by 85% an hour after the hack—from $88.73 to $3.67, according to CoinGecko data. CC10 lost 98% of its value; before the hack it was trading for $62.50 but afterward it dropped to $0.74.
Three other index tokens, DEGEN, NFTP and ORCL5, are safe, Laurence Day, a 32-year-old contributor and member of the Indexed DAO told Decrypt. The sixth asset, FFF, a meta index that contains DEFI5 and CC10, was badly damaged and will need to end in its current form. He added that a compensation plan will be put together.
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified.https://t.co/am2XnwL5fD
But members of the DAO have since put the breaks on the conditions, they said via Twitter, because they found out the hacker was “significantly younger than we thought.”
Day told Decrypt that the project was in a “desperately tense situation” and was still figuring out what to do next. He would not tell Decrypt if they were negotiating with the hacker.
But he said that several people on the protocol’s team had verified who the hacker was—and it was now up to him to return the funds. “This is a choice which is now in the hands of the attacker,” he wrote.
The ultimatum has not been met.
In the minutes before the deadline elapsed, @ZetaZeroes made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought.
Day did not add whether they would contact law enforcement today.
DeFi, or decentralized finance, is a catch-all term for projects that want to automate traditional financial tools, like banks. They aim to provide loans, interest, and asset swaps without banks or other intermediaries via smart contracts—bits of code that carry out instructions. Most are built on Ethereum, the blockchain that houses the second-biggest cryptocurrency by market cap.
But DeFi is an experimental industry—the protocols are very new—and it is prone to hacks. Indexed is not the first to suffer such a big exploit. The list of DeFi hacks this year is long but last month alone pNetwork lost $12.5 million and an NFT project called Vee Finance suffered a $35 million exploit.
And in August, a hacker ran off with $25 million from lending and borrowing platform Cream Finance.
Decentralized finance is enjoying a period of sustained growth, with nearly $80 billion in assets locked into protocols, per data from DeFi Pulse, just 10% lower than its May peak.
But, as the saying goes: more money, more problems.
According to a new report from blockchain forensics firm CipherTrace, DeFi-related hacks and fraud have cost protocols and their users $474 million through the first seven months of the year. While overall cryptocurrency fraud and crime has dropped considerably—Ciph...
Many projects have been able to recuperate some of the stolen funds. But the huge hacks happening each month are a reminder that the space is new, experimental and risky.
Laurence added that the DeFi space needs auditors to prevent hacks and added that “the talent pool in the space is desperately thin.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Decentralized exchange Hyperliquid delisted perpetual futures for the Solana-based meme coin JELLYJELLY on Wednesday, describing the move as critical to ensuring its network’s integrity amid a looming liquidation crisis.
Hyperliquid uses its own high-speed blockchain, built upon the Ethereum layer-2 network Arbitrum, and the project said its networks’ validators had convened to take “decisive action,” in a post on X (formerly Twitter).
The decision came after a Hyperliquid user opened a $6 milli...
Solana decentralized exchange Raydium says it’s going live in the next week with its “flexible” token launchpad, which will address what have become user pain points on its soon-to-be competitor Pump.fun.
The new platform, LaunchLab, will allow users to adjust a token’s bonding curve and tokenomics, while still offering a user-friendly cookie cutter option.
Previously, Raydium had simply operated as an automated market maker and decentralized exchange on Solana; while Pump.fun rapidly grew to be...
Raydium's native token, Ray, rose sharply on Monday, driven by the decentralized exchange's "deep liquidity," even as it faces stiff competition from the recently launched rival PumpSwap, according to one core contributor.
As the 133rd largest crypto by market capitalization, Ray is trading at about $1.95, according to crypto data provider CoinGecko.
It is up 25% over the past 14 days, recovering ground lost earlier this year as Pump.fun grew more popular.
Ray had dropped 7.6% over a five-minut...