Indexed Finance

Indexed Finance Attack Post-Mortem - October 2021

Attack Overview

Indexed suffered its first hack since its December 2020 deployment, resulting in about $16m worth of assets stolen. The attack exploited the way index pools are rebalanced.

Technical Details of the Exploit

The exploit contract took out approximately $156m worth of flash swaps in UNI, AAVE, COMP, CRV, MKR, SNX from Sushiswap and Uniswap V2, then used these borrowed assets to purchase UNI from the pool in chunks through dozens of swaps.

The attacker then executed a minimum balance update on the controller. Because they had purchased nearly all of the UNI in the pool, its balance was very low when the controller queried it, and so the approximated value of the entire pool was calculated as 29,851 SUSHI (~$300k), despite the pool having received over a hundred million dollars worth of other assets.

The caller then used the borrowed SUSHI to mint additional DEFI5 at the extremely inflated valuation caused by the minimum balance exploit, burned the DEFI5 for all of the underlying assets, repeated this a number of times, and finally paid off the flash loans while making out with about $11m worth of assets.

Attack Vector / Exploit Steps

1. Flash-borrow $156m of UNI/AAVE/COMP/CRV/MKR/SNX from Sushiswap and Uniswap V2

2. Buy nearly all of the UNI from the targeted index pool through dozens of swaps

3. Trigger a minimum balance update on the controller — the pool's approximated value collapsed to ~$300k of SUSHI because UNI balance was depleted

4. Mint DEFI5 (the index token) at the manipulated, inflated valuation

5. Burn DEFI5 to redeem all underlying pool assets

6. Repeat the mint/burn cycle multiple times

7. Repay flash loans and exit with ~$11m profit; pools lost ~$16m total across DEFI5 and CC10

Financial Impact

• ~$16m total losses across the DEFI5 and CC10 index pools

• Attacker netted approximately $11m after flash-loan repayment

Proposed Fixes

The team planned to:

• Modify the controller smart contracts to remove the approximate value function and replace it with one that takes the combined value of all balances held by a pool in every token it owns

• Implement a minimum wait time of at least a day or two between re-index and minimum balance update operations

Sources

• Indexed Attack Post-Mortem - Medium (Indexed Finance)

• The analysis of Indexed Finance Security Incident - BlockSec

• DeFi Protocol Indexed Finance Suffers $16M Exploit - CryptoBriefing

• Inside the War Room: How Indexed Finance Traced Its $16M Hacker - CryptoBriefing