# Update #2: Indexed Finance Attack In the intervening hours since the previous update, we have had a significant development as to the identity of the exploiter, as well as connections back to interactions with Code 423n4, Binance and Coinbase. This post will lay out the connections and ultimate reasoning behind the following Tweet: https://twitter.com/ndxfi/status/1449203629085368322 BogHolder/tensors/UmbralUpsilon/ZetaZeroes, we know you're reading this, and all the Discord hopping in the world isn't going to help you now. Give it back. The whitehat bounty is still on offer, but that window is *rapidly* closing for you. ## BogHolder/Tensors & Code 423n4 In the [previous update](https://hackmd.io/fSTndeFZQPOPKYxlafaNIA), we laid out the fact that we (Dillon and Laurence) were contacted by - and in contact with - BogHolder#1688 on Discord (under a different profile picture and username UmbralUpsilon at the time) in order to discuss certain aspects of the reweighting and reindexing mechanism of Indexed pools: the aspect that was utilised in order to execute the exploit. Following the exploit, we have found that these conversations had been deleted on their side, and we had no mutual servers with them. Given that they were unresponsive, this didn't bode well, but we at least had something to reach out to Discord about with a subpoena if we got some more proof and it came to that. About two hours ago we received a tip from someone in Discord stating that this account is a contributor to Code423n4, the community auditing platform: one that we have been intending to utilise for reviews of our protocol upgrade and Nirn. Specifically, the tip was (name redacted for privacy): ![](https://i.imgur.com/8f0rm9s.png) We dug around a bit, and found that this was true: [this account](https://etherscan.io/address/0x3c86b2b86f0a4b180802026cb1d0d73f80200ab3) deposited into Tornado mere hours before the exploit - one more deposit than was pulled out by the exploiter in order to execute the attack. Get in contact with C4? Alright. We started a conversation with sockdrawermoney, one of the C4 organisers, and let them know our suspicions: that BogHolder#1688 was in fact the Indexed attacker, only to be met with the fact that they knew, and had been speaking to them, appealing to claim the whitehat bounty on offer. Here's where things get a bit convoluted, but we'll explain as we go. Back in August, C4 ran [a competition for Notional](https://code423n4.com/reports/2021-08-notional), and handed out a couple of rewards for jobs well done. The #4 position in that competition was a user named 'tensors'. ![](https://i.imgur.com/VBAqIZi.png) Within the C4 Discord, where users are tagged in announcements of results, this is reflected as tensors now being known as BogHolder. ![](https://i.imgur.com/xfvivJ7.png) At 11:38 Central, a new user named `tensors8` joined the C4 Discord. A conversation then took place between sockdrawermoney and tensors8, of which which tensors8 (BogHolder) subsequently deleted his side of the conversation, in exactly the same way as UmbralUpsilon deleted conversations with us. **Due to concerns for the safety and well-being of the Code Arena team, we have taken the relevant screenshots down from this page.** **Anyone pursuing legal action may contact dillon@indexed.finance or laurence@indexed.finance to retrieve a cached version of the evidence.** We are satisfied that these two parties (tensors8 and BogHolder) are one and the same, and that the wallet that C4 paid in exchange for the Notional work - and used Tornado right before the assault on Indexed - belongs to them. Let's go on the chain. ## Finding Links To Fiat It turns out that obfuscating your transactions doesn't really help you when your adversaries are motivated by the theft of sixteen million dollars. Here comes a flurry. The attacker received funds twice from [0x4648451b5f87ff8f0f7d622bd40574bb97e25980](https://etherscan.io/address/0x4648451b5f87ff8f0f7d622bd40574bb97e25980), which was [funded through Binance](https://etherscan.io/tx/0xd05832b2e1ddedc3a7ba11396b83f024d0538e8a6affa62d6c7b913626f008eb) as the initial source of Ether for gas three years ago. They also received funds from [0x98B42202F6757ae42AF0443D4C0F271aA006Ac03](https://etherscan.io/address/0x98b42202f6757ae42af0443d4c0f271aa006ac03), which has two transactions within: 1) Receiving funds from [0x5e81440f1ade80fc97c11e480782e1fd11bba7e4](https://etherscan.io/address/0x5e81440f1ade80fc97c11e480782e1fd11bba7e4), 2) [Immediately sending these funds to the C4 wallet 0x3c86](https://etherscan.io/tx/0x409808711ea1559832da5be9792da9cfe79a5f8c242cfb09b3a4c1aa77935b10). It is this 0x5e8 account that is particularly damning. This account only ever made six transactions, three of which are relevant to us: 1) [Receiving funds from Binance](https://etherscan.io/tx/0xa81182d75d07ec75d097a0cb1c42ec41aa2467c0e2cfc7b8ffbdf63171e1be8c), 2) [Sending funds to Coinbase](https://etherscan.io/tx/0x09d0f1df04b8669e3a484e9bfd3d20980adaf6578823602a43ed3bf32334738a), and 3) [Sending funds to the 0x98B4 wallet](https://etherscan.io/tx/0xeb411394eee8acc7427f2f31b753bc94855d3836663463b08064ad1f5f7a84b2) We have a lot more information than this available to us, but it's more convoluted than what we can easily present here. ## Summary To wrap up everything here: * We have established that the Indexed attacker is the C4 Warden 'tensors', * We have established connections between the wallet that they have received C4 payments to and two exchanges which require KYC (although in Binance's case, you could get away with not KYCing for non-trivial amounts until fairly recently), * We have already reached out to these exchanges informing them of this, and * We are now presenting an ultimatum. **tensors, you have until 17:00 UTC on the 17th of October 2021 to return 90% of the stolen funds to the Indexed Finance Treasury address [0x78a3ef33cf033381feb43ba4212f2af5a5a0a2ea](https://etherscan.io/address/0x78a3ef33cf033381feb43ba4212f2af5a5a0a2ea).** If you fail to do this, we will be sending all of the information that we have to law enforcement agencies for them to do with as they see fit. We will not stop digging either: you've slipped up elsewhere. You can now choose what difficulty you want to play this game on. Easy mode or Dark Souls. It's your call. --- **Update for historical record: following identification of the attacker, the 10% whitehat bounty (which was first put in writing to the attacker at 06:58 GMT on the 15th of October via Gitter and referenced in [Update #1](https://hackmd.io/fSTndeFZQPOPKYxlafaNIA)) was removed at 13:54 GMT on the 16th of October in [this tweet](https://twitter.com/ndxfi/status/1449373158583279622).** **A party associated with Indexed Finance then reached out privately to the attacker - unbeknownst to other parties involved - and offered a US$50,000 bounty for the return of funds, which the attacker 'accepted' in such a way as to effectively confess (see [Update #3](https://hackmd.io/@d1ll0n/Hyd-uCuBK#Update-on-BogHolder-Connection)).**
Last changed by  
laurenceday
15265

Read more

Update #1: Indexed Finance Attack

Here's what we know so far about the identity of the Indexed exploiter, efforts that have been made to reach out, and a few points about the safety of the unaffected Indexed pools. Update [06:05 BST, 16th October]: we have identified the Indexed attacker and issued an ultimatum. Details available here: https://hackmd.io/@laurenceday/H1OylawSF Status Of Remaining Pools The important stuff first - safety of other pools. ORCL5 is subject to the same exploit (as an index that is operated by the MarketCapSqrtController contract on the core controller), however the event horizon for this attack to be replicated requires at least another month to have elapsed, as it was reindexed on the 5th of October. DEGEN and NFTP also contain the same core vulnerability within their controller, however the attack in question requires that there are candidate assets available to be phased in: this is not the case for these two pools - the active asset list and the candidate asset list is the same. Tokens can only be added by a 3/5 Sigma committee vote [through this Gnosis: 0xbb22a47842eafc967213269280509a8b28e57076], and suffice it to say, that will not be happening.

10/20/2021
Read more from laurenceday
Published on HackMD