Review of the Indexed Finance hacking incident: Mathematical genius breaches DeFi platform

Written by: Christopher Beam

Translated by: Translation Guild tanghul, The SeeDAO

The date is October 14. The location is a house near Leeds, England. When the phone rang, Lawrence Day was sitting on the sofa enjoying a dinner of fish and chips. The text was from a colleague at Indexed Finance, a cryptocurrency platform used to create tokens that can represent several other currencies, akin to an index fund, but on the blockchain. The colleague sent a screenshot of a recent transaction record, followed by a question mark. "If you don't understand this stuff, you might say, 'This transaction is pretty good,'" Day said. But he was an expert, and the image was enough to alert him: a user had bought a large amount of certain tokens at an extremely low price, which should have been impossible. Something serious had happened.

Day jumped up, spilling food everywhere, and ran into the bedroom to call one of the founders of Indexed, Dylan Keller. Six time zones away, near Austin. Keller was sitting in his mother's living room, dismantling a DVD player in an attempt to save a laser head inside. He picked up the phone and heard Day breathlessly explaining that the platform had been attacked. Keller recalled, "I just said, 'What?'"

Day Photographer: Bloomberg Businessweek Joanne Coates

They pulled out their laptops and dove into the platform's code. A few familiar friends also came to help, and Day's cat Finny (named after Bitcoin pioneer Hal Finney) climbed onto his shoulder in support. Indexed was built on Ethereum, a public ledger that records transaction details, which meant the attack records were also on it. It would take weeks to accurately figure out what had happened, but it was clear that the platform had been played, to the extent that the tokens in users' hands were severely undervalued and sold to the attackers at a steep discount. In total, the perpetrators made off with assets worth $16 million.

Keller and Day stopped the losses, fixed the code to prevent further attacks, and then began to face a public relations nightmare. In the platform's Discord and Telegram channels, token holders were speculating wildly and cursing, some blaming the team and demanding compensation. Keller apologized on Twitter to hundreds of Indexed users, taking responsibility for failing to spot the vulnerability. He wrote, "I messed up."

The current question was who had launched the attack and whether they would return the funds. In most cases, attacks exploiting vulnerabilities in crypto platforms are believed to be internal unless proven otherwise. "By default, people always ask, 'Who did it? Why would the development team do this?'" Day said.

The morning after the attack, Day was trying to sleep for a bit when he suddenly realized that a contributor hadn't been active for a while. A few weeks earlier, a programmer with the username UmbralUpsilon (anonymity is standard practice in the crypto community) had contacted Day and Keller on Discord, saying he wanted to create a bot that would make the platform more efficient. They agreed and sent him a startup fee. Keller said, "At the time, we hoped he might become a regular contributor."

Given the scope of their discussions, Day thought that after the attack, UmbralUpsilon would help them out or at least express sympathy. However, nothing came. Day pulled up their chat records and found that only his part of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. "That made me jump out of bed," Day said.

He shared his suspicions with the team. In the following days, they carefully searched online for the digital traces of the attacker. They discovered that the Ethereum wallet used to transfer tokens in the attack was linked to a wallet used by a participant in a recent hacking competition to collect a prize, and this participant sometimes referred to himself as UmbralUpsilon. They pulled up the person's registration information and saw it linked to a personal profile on the collaborative coding platform GitHub.

The creator of this GitHub profile used an email address starting with "amedjedo," and the domain belonged to a public school board in Ontario. Day and his colleagues also found that a Wikipedia editor's username was very similar to this person's. This editor had modified the page for a popular high school intelligence competition in Canada, adding a name in the "Alumni" section: "Andean Medjedovic, renowned mathematician." The rest of the work was left to Google. Until recently, Medjedovic was a master's student at the University of Waterloo in Ontario, studying mathematics. His resume showed an interest in cryptocurrency.

The whole team breathed a sigh of relief. Typically, once the identity of a cyber attacker is confirmed, they will return the funds in exchange for a face-saving bounty and earn the title of "white hat hacker." Day contacted UmbralUpsilon, offering a 10% reward for the safe return of the tokens. Day reluctantly praised him with a "well done," but received no reply. Then, Keller tried another strategy; he messaged Medjedovic directly, calling him "Andean." This time, Medjedovic responded. He publicly mocked Indexed's users on Twitter: "You got scammed in an OTC trade. You can't do anything about it… that's cryptocurrency." Another team member emailed Medjedovic separately, saying they would pay him $50,000 if he returned the tokens. Medjedovic replied with a link to an Ethereum address and a message: "Send the money." They did not fall for it. Shockingly, they discovered that this tormentor was only 18 years old.

Finally, before having to involve lawyers and police, Keller sent Medjedovic a text for one last plea. He wrote, "I beg you to give up now and make it easier on yourself." The teenager's reply was "Xdxdxd" (indicating a laughing emoji), along with, "Good luck."

Keller Photographer: Bloomberg Businessweek Cindy Elizabeth

When they initially created Indexed, Keller and his co-founder envisioned it as an advancement in DeFi. The blockchain-based DeFi movement (decentralized finance) aims to provide a more automated and less intermediary-dependent way of lending, trading assets, and managing portfolios. Some supporters hold a pragmatic view of DeFi, seeing it as an improvement over traditional finance that eliminates fee-extracting intermediaries and slow human decision-making. Others are more libertarian, viewing DeFi as a utopia outside the existing system, a channel to evade rules and restrictions imposed by governments or large corporations. There are also skeptics who believe it is all a scam.

Keller, who describes himself as "very progressive," is firmly in the pragmatic camp. At 23, he felt that his computer science courses taught him nothing new, so he dropped out of the University of Texas at Dallas. Keller then founded the Indexed platform, trying to solve a problem: what if a person wants to trade cryptocurrencies but finds managing a portfolio every day too cumbersome?

In traditional finance, if an investor wants to balance holdings of multiple stocks, they can hand over the daily work of buying and selling stocks to a portfolio manager by purchasing an index fund. Keller set out to create a similar mechanism on the blockchain, but driven by algorithms. Index fund managers maintain a portfolio composed of underlying assets of index stocks, while Indexed's algorithm maintains an "asset pool" composed of underlying tokens for each index token. Users can inject one or all of the underlying assets into the pool in exchange for an index token—this process is called "minting." Similarly, users can "burn" an index token by injecting it into the pool in exchange for one or all of the underlying assets. Additionally, like index exchange-traded funds (ETFs), users can buy and sell index tokens on decentralized exchanges like Uniswap.

Index funds come in various forms, each using different investment strategies. Some indices are market-cap weighted, like the S&P 500: if the price of a stock within the index rises, that stock's value in the portfolio also increases accordingly. Other index funds seek to maintain fixed proportions among the stocks. For example, if you want Microsoft stock to always represent 20% of the portfolio, when Microsoft's stock price rises, the portfolio manager will sell some to maintain its 20% weight.

Keller and his team modeled Indexed after these types of funds, using a mechanism called "automated market maker (AMM)" to maintain the balance between underlying assets, which many DeFi platforms do. Unlike traditional market makers, AMMs do not buy and sell assets themselves. Instead, they incentivize traders to buy tokens from the pool or sell tokens into the pool by adjusting the "pool price" of internal tokens, helping the asset pool achieve the desired asset balance. When the pool needs more of a certain token, its "pool price" rises; when demand for a certain token decreases, its "pool price" falls. This model assumes that users will rationally interact with the protocol, buying low and selling high.

By eliminating human managers, Indexed was able to avoid management fees. For users of its main competitor, Index Coop, simply holding its most popular index token incurs a management fee of 0.95%. (Indexed charges fees for burning tokens and swapping assets in the pool, but these only affect a small portion of users). Indexed also saves costs by limiting the number of interactions between the platform and external entities. For example, when Indexed needs to calculate the total value of all assets in a certain asset pool, it sometimes infers this based on the weight and value of the token with the highest weight in the pool (called the "benchmark token"), rather than checking the price of each token on exchanges like Uniswap. In this way, Indexed reduces the transaction fees paid on Ethereum. Keller views "complete passivity" as a "natural extension of how index funds currently operate."

But "passivity" also brings risks. If there are issues with the code, someone can exploit it directly without needing to bypass any human protections. The list of cryptocurrency platforms that have been attacked is long and growing every week: Poly Network, Wormhole, Cream Finance, Rari Capital… Day said, "There's an old saying in DeFi: there are two types of DeFi protocols: those that have been hacked and those that are about to be hacked."

Keller had long recognized a potential attack vector: the mechanism Indexed used to import tokens into the asset pool. When such an "index reconstruction" occurs—say, when the market value of one token exceeds that of another, making it eligible to be included in a blue-chip fund—the asset pool sets the initial price of this new token using a complex equation. One variable in that equation is the value of the benchmark token. If you can somehow mess with the pricing of the benchmark token within the asset pool, theoretically, you could force the asset pool to misprice other tokens.

Keller said, "I spent at least two weeks studying this issue." But he couldn't find any errors. The two security researchers he hired to check the code also found no errors. So he said, "I was convinced it wasn't an attack vector." However, Indexed still posted a warning on its website: "We are confident in the security of our contracts… (but) we cannot be absolutely certain that there are no overlooked errors."

The platform debuted in December 2020, initially offering two index tokens: CC10 and DEFI5. CC10 represents the 10 highest market cap tokens on Ethereum, while DEFI5 represents the 5 highest market cap DeFi tokens. The project quickly gained a small group of loyal fans, including Day. Day holds a PhD in theoretical computer science and a master's in financial engineering, with his master's thesis focused on optimizing stock market index portfolios. Indexed aligned with his interests and matched his relatively low risk tolerance. He said, "When it comes to investments outside of cryptocurrency, I'm completely boring."

Day and Keller got along well. They both shared a quirky sense of humor, with one being a talented writer and finance expert, and the other a creative programmer, complementing each other's skills. "I'm completely a humanities person, and Dylan is the quintessential STEM guy," said Day, now 33. In April 2021, Day quit his job at an oil and gas company and joined Indexed full-time.

That year, interest in cryptocurrency surged. Fueled by this momentum, Indexed skyrocketed, quickly becoming the second-largest index protocol by market cap on Ethereum, behind only Index Coop. They raised their ambitions, launching index tokens and planning upgrades to allow assets in the pool to earn interest. The DeFi platform Balancer, which deployed their code, was also encouraged and provided them with funding—a vote of confidence in Indexed's future.

When Indexed launched, Medjedovic, nicknamed Andy, had just begun his master's degree. He planned to complete his master's in a year. He was always quick in his work, having started taking 10th-grade math classes in elementary school, graduated high school at 14, and completed his undergraduate studies at the University of Waterloo in three years. The University of Waterloo is one of Canada's top schools for mathematics and computer science and is also the alma mater of Ethereum co-founder Vitalik Buterin. By the fall of 2021, Medjedovic had submitted his master's thesis on random matrix theory and planned to apply for a PhD. Waterloo mathematics professor David Jao said, "I can't think of any other student who could have gotten this degree so early."

Despite being academically advanced, Medjedovic's social maturity lagged behind. A former classmate, who requested anonymity to speak candidly about sensitive issues, recalled that he was "confident to the point of arrogance," openly looking down on students he deemed less intelligent than himself. This classmate also said, "No matter what he did or said, he believed it was never wrong, it was absolute truth." It was reported that Medjedovic flirted with some extremist ideas: this classmate had heard him express admiration for white supremacy and eugenics