See More

Indexed Finance Suffers $16M Loss in Latest DeFi Exploit

2 mins
Updated by Kyle Baird
Join our Trading Community on Telegram

In Brief

  • Two Indexed Finance balanced pools were exploited.
  • Attacker made off with a basked of DeFi tokens.
  • NDX dumps 27% falling to more than 90% from its all-time high.
  • promo

Decentralized finance (DeFi) protocol Indexed Finance has reported that it’s become the latest victim of an exploit that resulted in a substantial loss of assets. On Oct. 15, Indexed Finance reported that it had suffered its first hack since protocol deployment in December, losing around $16 million in various DeFi tokens which it described as “devastating.”

Two of its indexes, DEFI5 and CC10, were targeted in the sophisticated attack which exploited the way index pools are rebalanced according to the post mortem report.

Indexed Finance offers portfolio management and is similar to exchange-traded funds and indexes with assets under management tracking the underlying assets’ performance.

Balanced DeFi pools targeted

Indexed uses pools of assets similar to Balancer with different weights of each token in the pool or index. It uses a Uniswap oracle to approximate prices and dynamically balances the pool token weightings.

The attacker took advantage of this rebalancing mechanism on the DEFI5 pool by taking out $156 million in flash swaps of the pool tokens UNI, AAVE, COMP, CRV, MKR, and SNX. It manipulated the pool weightings by adding a new token SUSHI, to control the majority weight of the pool.

The malicious contract used all of the borrowed assets to purchase UNI from the pool in chunks. The attacker executed a minimum balance update on the controller and because the UNI had been removed, it was calculated in SUSHI.

The previously purchased UNI was then used to mint new DEFI5 resulting in the pool supply being inflated by orders of magnitude. The borrowed SUSHI allowed the attacker to mint additional DEFI5 at the extremely inflated valuation. which they burned and made off with the underlying assets. The process was repeated several times before moving on to carry out the same attack on the CC10 pool before repaying the flash loans.

Security firm PeckShield reported that the attacker had stolen 15 ETH, 226.9K UNI, 7.5K AAVE, 6.4K COMP, 845.8K CRV, 516 MKR, 45.4K SNX, 33.2K LINK, 5.2K YFI, 17.8K UMA, and 131.6K BAT totaling around $16 million.

Indexed stated that it will discuss reimbursements and how to move forward with the community while it works on patching the vulnerability.

NDX token dumps

Unsurprisingly, the protocol’s native NDX token has dumped 27% from $3.35 to $2.43 where it currently trades according to CoinGecko.

NDX, which has been trading between $2.50 and $4 for the past three months is now down 91% from its Feb 4 all-time high of $27.71.

Top crypto platforms in the US | March 2024
Coinbase Coinbase Explore →
AlgosOne AlgosOne Explore →
Chain GPT Chain GPT Explore →
iTrustCapital iTrustCapital Explore →

Trusted

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.

profile.jpg
Martin Young
Martin Young is a seasoned cryptocurrency journalist and editor with over 7 years of experience covering the latest news and trends in the digital asset space. He is passionate about making complex blockchain, fintech, and macroeconomics concepts understandable for mainstream audiences.   Martin has been featured in top finance, technology, and crypto publications including BeInCrypto, CoinTelegraph, NewsBTC, FX Empire, and Asia Times. His articles provide an in-depth analysis of...
READ FULL BIO
Sponsored
Sponsored