The platform for decentralized finance (DeFi) Indexed Finance, suffered a hack in which USD 16 million in crypto assets were stolen from some of the users. The episode happened on Thursday, October 14. To date the organization has been unable to recover the stolen funds, although it says it has already identified the hacker.
The platform warned on Twitter that if the hacker doesn’t return the crypto assets, they will send their details to the police. It is the first attack it has had since its development in December. The victims were some people who had tokens in indexes DEFI5 and CC10 of the address 0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe.
Immediately after the hack, Indexed found out what the robbery was like and ad in detail what had happened and how you will prevent it from happening again. He also warned that the central team will soon determine how those affected will be compensated and if they will be able to recover their crypto assets or not.
Needless to say, we are shocked and upset. Hearing ‘sorry’ in a protocol always seems to sound empty after these incidents (especially for those affected). But it bears repeating. We truly apologize to both those who have run out of funds and those who remain in unaffected groups.
How was the hacking of crypto assets in the DeFi Indexed Finance?
A hacker took certain assets that supported the value of index tokens in Indexed Finance, finding a vulnerability in their protocol smart contracts. It is worth clarifying that this decentralized finance platform built on Ethereum is dedicated to producing tokens that track market indices.
Indexed explained that Each time a token is added – which represents 1% of a Balancer index group – the system sets a price for it, according to Uniswap calculations.. This tool is responsible for finding the first fully initialized token with a weight greater than zero to multiply the group’s balance by its weight.
In turn, the platform has another function that resets the virtual balance for an uninitialized token. Specifically, it is used when its value changes and the minimum balance is far from 1% of the group, so no one wants to change it. This is what the hacker in question used to carry out the theft.
The hack consisted of executing an update of the minimum balance during a reindex of DEFI5 in which UNI was used to approximate the value of the group. In the process, $ 156 million was exchanged in UNI, AAVE, COMP, CRV, MKR, SNX from Sushiswap, and Uniswap V2.
According to the publication, the problem began when the calculation determined that the minimum fair value for SUSHI 11,926 was around USD 126 thousand. As this number allowed to buy almost all UNI in the group, the attacker upgraded SUSHI 29,851 to USD 300 thousand, thus achieving an inflated supply. Something similar to other hacks that CriptoNoticias revealed this year.
Next, the hacker burned DEFI5 for all underlying assets and repeated the process several times. In the end, he paid off the urgent loans with around $ 11 million in crypto assets. In CC10 it was the same, except that the initial reindexing step had already been done.
Given the situation, Indexed decided that it will remove the approximate value tool because it is so insecure. He advised that he is open to evaluating all possible ideas to establish a new code and has already received help from many Ethereum developers to modify their smart contracts.
Indexed confirmed that it will implement a function that takes the combined value of the balances held by a group in each of its tokens. Likewise, it will establish a wait of at least 24 hours to avoid the possibility of a reindex and a minimum balance update in the same transaction.