On Thursday, a hacker ran off with $16 million from decentralized finance (DeFi) project Indexed Finance—but now the protocol’s team says they know who the attacker is.
Indexed Finance is a DeFi project built on Ethereum. It produces tokens that track market indexes. A hacker took the assets that were backing the value of the index tokens by finding a vulnerability in the protocol’s smart contracts.
The attack was typical of DeFi exploits: the hacker took advantage of the flash loan mechanism by overloading the protocol with new assets. This lowered the price of the Indexed tokens, which then allowed the attacker to mint new ones and cash them out.
Now, two out of six assets in the protocol, DEFI5 and CC10 (both index tokens that track large DeFi projects), have lost most of their value.
DEF15 dropped by 85% an hour after the hack—from $88.73 to $3.67, according to CoinGecko data. CC10 lost 98% of its value; before the hack it was trading for $62.50 but afterward it dropped to $0.74.
Three other index tokens, DEGEN, NFTP and ORCL5, are safe, Laurence Day, a 32-year-old contributor and member of the Indexed DAO told Decrypt. The sixth asset, FFF, a meta index that contains DEFI5 and CC10, was badly damaged and will need to end in its current form. He added that a compensation plan will be put together.
The project’s members identified the hacker on Friday because he didn't cover his tracks off-chain well enough, Day said. They then gave him an ultimatum: return the funds by midnight on Saturday or else they would contact law enforcement.
The 10% offer has expired. The attacker has until EOD to return 100% of the stolen funds or his information will be published and law enforcement notified.https://t.co/am2XnwL5fD
But members of the DAO have since put the breaks on the conditions, they said via Twitter, because they found out the hacker was “significantly younger than we thought.”
Day told Decrypt that the project was in a “desperately tense situation” and was still figuring out what to do next. He would not tell Decrypt if they were negotiating with the hacker.
But he said that several people on the protocol’s team had verified who the hacker was—and it was now up to him to return the funds. “This is a choice which is now in the hands of the attacker,” he wrote.
The ultimatum has not been met.
In the minutes before the deadline elapsed, @ZetaZeroes made changes to his accounts that have made us realise at the last minute that the attacker is significantly younger than we thought.
Day did not add whether they would contact law enforcement today.
DeFi, or decentralized finance, is a catch-all term for projects that want to automate traditional financial tools, like banks. They aim to provide loans, interest, and asset swaps without banks or other intermediaries via smart contracts—bits of code that carry out instructions. Most are built on Ethereum, the blockchain that houses the second-biggest cryptocurrency by market cap.
But DeFi is an experimental industry—the protocols are very new—and it is prone to hacks. Indexed is not the first to suffer such a big exploit. The list of DeFi hacks this year is long but last month alone pNetwork lost $12.5 million and an NFT project called Vee Finance suffered a $35 million exploit.
And in August, a hacker ran off with $25 million from lending and borrowing platform Cream Finance.
Decentralized finance is enjoying a period of sustained growth, with nearly $80 billion in assets locked into protocols, per data from DeFi Pulse, just 10% lower than its May peak.
But, as the saying goes: more money, more problems.
According to a new report from blockchain forensics firm CipherTrace, DeFi-related hacks and fraud have cost protocols and their users $474 million through the first seven months of the year. While overall cryptocurrency fraud and crime has dropped considerably—Ciph...
Many projects have been able to recuperate some of the stolen funds. But the huge hacks happening each month are a reminder that the space is new, experimental and risky.
Laurence added that the DeFi space needs auditors to prevent hacks and added that “the talent pool in the space is desperately thin.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Digital assets may be firmly in the mainstream, with institutional involvement and a crypto-friendly president in the White House.
But hackers and fraudsters are having a field day so far this year.
Crypto users have lost over $1.7 billion to these groups—already 14% more than 2024’s total losses of $1.49 billion, according to blockchain security firm Immunefi.
In the same period last year, losses totaled $420 million, the firm said.
The report comes amid ongoing concerns about the vulnerabil...
Libre, a regulated real-world asset platform, and the TON Foundation have launched a $500 million tokenized fund on The Open Network, aiming to bring Telegram’s $2.4 billion in corporate debt onto the blockchain for the first time.
Dubbed the Telegram Bond Fund, the product allows institutional and accredited investors to gain exposure to Telegram’s outstanding bonds directly through the TON blockchain, according to a statement shared with Decrypt.
The fund will also participate in future Telegr...
Solana decentralized exchange Raydium has deployed its native token launchpad, which is designed to rival the popular Pump.fun. This comes almost a month after Pump.fun deployed its own decentralized exchange, cutting ties with Raydium in the process.
LaunchLab by Raydium offers a more sophisticated token creation process, compared to Pump.fun’s simplistic approach. The new launchpad allows for deployers to toy with the token supply, how many tokens will be sold on the bonding curve, and how muc...