- Hacker makes away with more than $16 million from index pools
- $11 million drawn from the DEFI5 pool and $5 million siphoned from the CC10 pool
- Hacker tricked an algorithm running the index pools to favor him
- 2 separate and independent security wizzes failed to see the vulnerabilities.
More than $16 million of user assets have disappeared from Indexed Finance's coffers. This is after a hacker took advantage of a vulnerability in the DeFi protocol's smart contract.
The hacker gamed the system, diverting funds from two Indexed Finance's Indices - the CC10 and DEFI5 pools. The attacker targeted the smart contract code that controls the value of assets that have been deposited in the different pools.
He pumped flash-loaned tokens into the two pools and exchanged those for UNI tokens. This tricked the algorithm into thinking that the pool's value is much lower than what it was in the real sense.
With this done, it was possible to trick the pool's indices to burn its underlying tokens, helping him to claim more than 11 million USD from DEFI5 and 5 million USD from CC10.
With the funds gone, there wasn't much else to be done about it. The Indexed Finance's team sent out a post-mortem of the exploit. They also apologized to the community and suggested ways of preventing such an exploit in the future.