Indexed Finance’s NDX Is Down 92% from ATH After $16 Million Hack Sends it Crashing
Indexed Finance, a decentralized protocol for passive portfolio management on Ethereum, got hacked for $16 million worth of assets this week.
This resulted in a drop of over 35% in the price of its native token NDX, currently trading at $2.28. The coin is now down about 92% from its early February high of $27.71.
Late on Thursday, the Index Finance team released the post-mortem of the attack noting since the project’s first deployment in December, it is the first time they have been hacked.
The hack was made possible because the way to measure the pool value could be manipulated. A new token could be added to the pool, noted by blockchain security company PeckShield Inc.
Indexed Finance is a modified version of Balancer where the swap affects the balances and the weights of the tokens.
Two of the project’s indexes, DEFI5 and CC10, were targeted in the attack. In the first one, the hacker flash swapped the pool tokens, including UNI and others, and then manipulated its weighing by adding a new token, SUSHI, to control the majority weight of it.
“The actual bug is that the extrapolated value returned by the pool is unreliable. Therefore, any logic that depended on that value is fucked. One way to fix this would have been to use different weights for pricing in the AMM from the weights used in the extrapolated pool value.”
Mudit Gupta Core Developer of SushiSwap
The attacker then initialized Sushi as a new token in the pool.
Due to the low extrapolated pool value, a small amount of SUSHI got allocated a large weight in the pool. The attacker got more than a fair share of LP tokens for adding SUSHI to the pool.
— Mudit Gupta (@Mudit__Gupta) October 15, 2021
To prevent any future attacks, the controller smart contracts will be modified, said the team. As for compensating the victims of the attack, the core team will discuss that with the community, with a proposal for governance soon coming.