Recently, Indexed Finance suffered a hack where assets worth $16 Million were exploited from CC10 and DEFI5. Notably, Indexed Finance is an absolutely decentralized protocol that provides users with passive portfolio management on Ethereum.
Image Source: Twitter (@ndxfi)
In this cyberattack, the way through which the index pools are rebalanced was exploited.
Let’s understand the cause:
Index Finance uses the approx values with Uniswap Oracle for determining the price within the Balancer pool whenever a token is added to the index pool. For accomplishing the task, "extrapolatePoolValueFromToken” function is used.
This given function is used to find the first token in the pool, which is wholly initialized & weigh over 0, and then it
multiplies the pool's balance with the reciprocal of weight.
This function is used by the controller to determine the new token's amount worth 1% of the pool and later used to price swaps. Note that the token will be considered initialized when it hits the balance, and then it can be sold and bought by the pool.
Now, what happens sometimes is that the price of the token changes very quickly. Due to this, the minimum value often does not equal 1% of the pool, and no one swaps it into the pool. Now, it might cause a delay in rebalancing, and hence, the controller uses another function, i.e., updateMinimumBalance, that actively resets virtual balance for uninitialized tokens.
Having said that, let's try to explore the cause of exploitation. DEFI5 was ready for the re-index during the time of the attack. During that time, UNI was the first token to be initialized fully with a weight over zero. Hence, UNI's price was used to approximate the pool's value, which set 11,926 as a minimum balance for SUSHI.
Hence, the exploit contract took nearly $156 worth of swaps in AAVE, COMP, CRV, SNX, MKR and UNI. Later, all the borrowed assets were used to buy UNI from the pool using dozens of swaps. Next, the minimum balance update was executed by the attacker, and then new DEFI5 were minted using previously purchased UNI. The borrowed SUSHI was used to mint extra DEFI5 when it was highly inflated due to minimum balance exploitation. Similar was the case with the CC10 exploit.
What will be done to prevent future attacks?
To prevent the future attack, the team has decided to modify the controller smart contracts for removing the approx value function. That function will be replaced by a function that will take the combined value of balances held by the pool.
Also, there will be a wait time of at least one day between a re-index and minimum balance update in a similar transaction.
Circuit breaker has been disabled for DEGEN and NFTP now that we have identified the root of the attack.
These pools are now operating normally again.
Swaps within the FF remain frozen for now due to it containing DEFI5 and CC10
~Twitter (@ndxfi)
The team is discussing to have a proposal for governance, and the people who lost their funds in the attack will soon be compensated.