DeFi protocol, Indexed Finance, has recently been attacked, leading to the loss of $16 million worth of tokens. The protocol offers passive portfolio management for its users and had its DEF15 and CC10 indices exploited on Thursday.
According to a tweet by the protocol’s independent auditor, @Mudit_Gupta, the attacker exploited a function in the pool that extrapolates the entire value of the pool using the first token.
The Uniswap (UNI) token was the first token in the pool and the attacker manipulated its balance to change the total value of the whole pool.
They first took a series of flash loans including COMP, Aave, UNI, and more from SushiSwap and Uniswap V2. They then used the loans to buy out a significant portion of UNI from the pools.
This action caused the UNI balance in the pool to become so low that when the attacker initialized SUSHI as a new token, the SUSHI got allocated a higher weight and the attacker received more LP tokens than necessary.
Subsequently, the attacker burned the LP tokens for all of the underlying assets, paid off the flash loans, and made away with the remaining funds. The team immediately swung into action when they noticed the exploit, although it was a little too late.
However, they went on to disable the affected pools and apply several other protective measures. Currently, though, two of the pools have resumed normal operations.
Indexed Finance Apologizes to Users
In a post-mortem report published on Friday, Indexed Protocol apologized to its affected users, adding that this was the first time it had suffered a hack since it was launched in December.
” We are truly apologetic to both those who have had funds drained and those who remain in unaffected pools.”
The DeFi space has witnessed an impressive amount of growth in recent months. However, with this growth came the increase of bad actors in the space.
DeFi hacks and frauds had hit an all-time high of $240 million earlier in May. However, in the months since then, several other hacks have occurred. Just a few months ago, Ethereum-based DeFi protocol, Cream Finance, lost $25 million in a flash loan attack.