owned this note
owned this note
Published
Linked with GitHub
# Update #1: Indexed Finance Attack
Here's what we know so far about the identity of the Indexed exploiter, efforts that have been made to reach out, and a few points about the safety of the unaffected Indexed pools.
**Update [06:05 BST, 16th October]**: we have identified the Indexed attacker and issued an ultimatum. Details available here: https://hackmd.io/@laurenceday/H1OylawSF
## Status Of Remaining Pools
The important stuff first - safety of other pools.
ORCL5 is subject to the same exploit (as an index that is operated by the MarketCapSqrtController contract on the core controller), however the event horizon for this attack to be replicated requires at least another month to have elapsed, as it was reindexed on the 5th of October.
DEGEN and NFTP also contain the same core vulnerability within their controller, however the attack in question requires that there are candidate assets available to be phased in: this is not the case for these two pools - the active asset list and the candidate asset list is the same. Tokens can only be added by a 3/5 Sigma committee vote [through this Gnosis: 0xbb22a47842eafc967213269280509a8b28e57076], and suffice it to say, that will not be happening.
These pools can be considered 'safe', and we will be able to upgrade them through a Governor Alpha vote once the patch has been produced and reviewed before any adverse events can befall them - however, apprehension is absolutely understandable for those that wish to exit these positions out of caution.
## Exploiter Identity
The knife twist is that we've realised that we believe that we actually know who did this: we spoke to them quite a bit prior to the execution of this attack.
Starting on the 15th of September, we were approached by a Discord user under the name 'UmbralUpsilon' - currently BogHolder#1688 -, asking some questions about the way in which certain parameters were utilised in the TWAP oracle (although the oracle was not part of the attack, this is the topic that they opened with). Since every component of Indexed is open-source, we answered these questions, and upon asking the reason, were told that they were attempting to create an arbitrage bot for the pools.
This is a key part of how Indexed generates revenue (exit fees on burns when arbitraging the NAV of tokens and their value on DEXes), and we were happy to engage with queries about the mechanics, explaining how reindexes work, the timing of reweights, how tokens are added and removed from candidate asset lists, and so on. We had no reason to be alarmed: all of these conversations were in the spirit of open-source collaboration.
In the aftermath of the attack, the two of us in Core that engaged in these conversations (Dillon and Laurence) have found that this users side of the conversations have been deleted in their entirety. However, in the interests of full disclosure, I (Laurence) attach the entirety of my side of the conversation: https://imgur.com/a/z4AZJlk
We are aware (courtesy of [@pcaversaccio](https://twitter.com/pcaversaccio)) that the exploiter requested some Kovan testnet Ether via Gitter, using the (dead, presumably created for the purposes of the assault) Twitter account @ZetaZeroes. We have reached out to them via Gitter with the following message: https://imgur.com/a/rhUHQY2.
We have also reached out directly to the exploiter (0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe) with a message: https://etherscan.io/tx/0x50af8eb95eeebf2ceb8e5a141841ad5bde7ddcc0bdc206ad761322cb26e4ec75 - but given that subsequent to that they deployed another contract and attempted to perform more interactions, we must assume ongoing hostility.
We speak now directly to the exploiter, if they ever read this: you're clearly incredibly skilled: this is something that has been overlooked for ten months in production, and you're the only one that found it. While it would have been so much more productive for you to instead choose to work with us: be the antihero of this story rather than the villain. Take a 10% whitehat, and save a lot of people the effort of engaging law enforcement.
The people that are affected by this are those that are trying to diversify risk within a volatile space. That's part of what makes this particularly cruel: no one deserves to have their funds whisked away, but the context here is an irony that can't be ignored.
Our door's open, and it'll make a much more satisfying footnote to our appearance on Rekt.
## Conclusion
This is all we have for now. We'll keep this file updated with additional details/updates as and when we have them.
For completeness, relevant links:
Post-mortem: https://twitter.com/ndxfi/status/1448856180697280514
Rekt article: https://rekt.news/indexed-finance-rekt/
Statement on path forward: https://twitter.com/ndxfi/status/1449160684852453384