Inner the War Room: How Indexed Finance Traced Its $16M Hacker

It’s Oct. 14, eight o’clock within the evening. Laurence Day, the fellow doing “rather of bit of every thing” for Indexed Finance, is having dinner with his accomplice when his phone goes off. He assessments—it’s Lito, Hop Protocol developer and Indexed consultant, sending an image of a transaction showing a ton of DEFI5 tokens getting burned and a ton of UNI tokens being moved, followed by loads of quiz marks.

His blood boiling in alarm, Laurence straight jumps up, flips his dinner, tells his accomplice to withhold off, and rushes to the shed cease by his dwelling. The shed hosts Laurence’s workstation, the blueprint from where he and his colleague on the loads of facet of the planet steward the Indexed protocol—a DeFi product for crypto-based totally indices that handled extra than $70 million at its peak. 

“I sit down down, Telegram is going off, Discord is going off, quiz marks in every single blueprint,” he remembers, confessing that every one he may perchance well perchance construct in that moment changed into tweet “we’re having a explore into it” and procure in contact with Dillon Kellar, Indexed’s sole Solidity developer. As they’ll each quickly come to search out out, Dillon is the person that wrote the trim contract that changed into exploited for a crammed with $16 million. 

“Holy shit, Indexed has been attacked,” he truly helpful Dillon over the phone. Dillon may perchance well perchance only declare one observe in response: “What?!”

Dillon, frozen in shock, straight hung up the phone and seemed on Telegram 30 seconds later. This changed into to be the initiating of presumably the most disturbing time of their lives—three consecutive days investigating with barely a moment to sleep. The two-person war room is now in an emergency notify. “How does this happen?” they puzzled. Indexed had been running for 10 months with out a first-rate incident. Exploits esteem this most incessantly happen to forked protocols, usually quickly after deployment, but this one changed into loads of. Indexed’s trim contracts had been habitual, written from scratch, and functioning as designed for over 10 months. How may perchance well perchance this be?

Deleted Chat Logs

With no time to smash, Dillon and Laurence straight got to work. Whereas Laurence handled the neighborhood blowback on social media, Dillon fleet identified the total dwelling that prompted the attack, realized that the rest of the swimming pools had been safe, and—with lend a hand from Daniel Luka and Andrei Simi, a pair who bustle a shrimp trim contract auditing firm known as Monoceros Alpha—began digging by transactions to figure out exactly what took blueprint.

Dillon straight knew that the exploit changed into linked to a particular arrangement related to how new belongings are equipped to the pool. “As quickly as we saw SUSHI tokens within the DEFI5 index, we knew—that needed to be it,” he says. He admits that, when he changed into writing the preliminary trim contracts, he changed into infected by how new belongings are equipped to the swimming pools, so he had an intuitive feeling the arrangement may perchance well perchance presumably be exploited. “I spent weeks attempting out every thing to convince myself it couldn’t truly be exploited. Once the attack took blueprint, I knew I had missed something there.”

The complexity of the exploit itself changed into fabulous. Dillon says that a quantity of his teammates couldn’t open the debugger on their computer techniques for a whereas thanks to how big it changed into. The exploit included extra than 1,000 occasions, and the transaction bundle took up a full block on the blockchain. Most DeFi exploits usually occupy far fewer occasions. After eight grueling hours of investigating, Dillon and Laurence felt they’d a preserve on the tell, printed a autopsy on the Indexed Medium blog, and tried calling it a day.

“At that level, all that we knew changed into how this took blueprint and that every thing else is safe,” remembers Laurence, who, at about seven o’clock that morning, tried going to mattress. “I save apart my head on the pillow, attempting to quiet myself down when—it hits me! We had been talking with this person… if they’re up, they need to’ve noticed this; they is seemingly to be sending a sympathetic message.” 

Laurence and Dillon recalled being approached about a month before the incident by a person the use of the pseudonym “UmbralUpsilon” on Discord. They had contacted them to seek files from about particular protocol parameters below the pretense of writing a total-motive crypto arbitrage bot. Even supposing their questions had been suspiciously particular and in total inappropriate for the particular motive of constructing an arbitrage bot, Laurence and Dillon obliged, answered all of the questions, and kept in contact.

Unable to brush off the concept and drop asleep, Laurence opened up his chat with this person and discovered that they’d deleted their half of of the dialog. He then messaged Dillon to expose him what took blueprint, and Dillon discovered the identical—the conversations had been gone. “Hmm, OK, this isn’t suspicious at all,” Laurence admits thinking to himself. He began digging spherical and fleet discovered that UmbralUpsilon had modified his Discord name to “BogHolder#1688.”

One thing didn’t feel right.

Following the Breadcrumbs

The next day, on Oct. 15, Indexed Finance got its first tangible lead. Any individual from the trim contract auditing platform Code 423n4 (C4) messaged Indexed on Discord, revealing that BogHolder#1688 changed into furthermore an brisk member of their neighborhood and a pretty competent “Warden” who beforehand had received fourth blueprint in a coding contest and acquired a reward.  

The bounty changed into despatched to an Ethereum tackle which, upon additional inspection, revealed that the legend had made four deposits to Twister Cash, a decentralized privateness-maintaining transaction tumbler. The outputs for the deposits matched the withdrawals of the exploit tackle. “They had been all offset from the deposits by lower than an hour,” defined Dillon, adding that this modern indispensable solidified their suspicions that the Discord person BogHolder#1688 changed into accountable for the attack.

“Now we had the legend that funded the exploit tackle and the Discord username within the support of it,” Laurence remembers. After digging by the transaction history, Dillon and his colleagues within the war room discovered that the legend had links to two centralized exchanges that required ending KYC procedures, that formulation they may perchance now attain out to them to strive to create the attacker’s true identity. Upon realizing this, they printed a blog post revealing every thing they’d discovered up till that moment and gave BogHolder#1688 an ultimatum: return the funds minus a 10% whitehat bounty or face law enforcement. 

Whereas watching for a response from the exchanges, Indexed bought every other tip on Discord revealing that BogHolder#1688 had registered with Code423n4 the use of a GitHub legend named “mtheorylord1.” This legend had no earlier or future exercise on GitHub. On the opposite hand, having a explore this username on Google revealed every other GitHub legend, “mtheorylord,” which in 2016 had made a single commit, growing a repository titled “Grade-12-Venture.” 

“Critical mathematician”

Inspecting the Git account for line, the group changed into in a collection to search out an e mail related with the legend, which included an web page owned by a excessive school in Canada. After discovering this e mail, the group changed into in a collection to link it to a “mtheorylord” Wikipedia legend, which, in 2016, edited a Wiki page about a sport utter for excessive school students to incorporate a repute (which matched the identical e mail) with the descriptor, “Critical mathematician.”

From there, following the paper toddle changed into simple. They ran a search on the name and discovered an web page that indicated that it belonged to a Masters’ student of pure mathematics on the University of Waterloo. After doing a reverse IP search on that domain, they discovered every other online page, which led them to an Urbit Discord server frequented by none loads of than BogHolder#1688. There, BogHolder#1688 had posted a link to an Urbit Planet NFT they owned. It grew to turn out to be out that the Ethereum tackle that owned the token may perchance well perchance with out issues be traced support to an tackle related with the exploit.

At this level, the group had all of it: the exploit tackle, the legend that funded it with links to centralized exchanges, the attacker’s Discord, GitHub, and StackExchange accounts, their e mail tackle, the excessive school and college they attended, dwelling tackle, phone quantity, and most crucial of all—his beefy name. 

“Doesn’t wait to Twister, makes use of the identical username, unearths his e mail in a GitHub commit… declare, declare rookie strikes,” says Laurence in disbelief. Whereas the exploit itself changed into completely impressive, Dillon adds, the hacker had dreadful OPSEC every step of the vogue. “Posting on Wikipedia five years within the past the use of his beefy name to issue that he’s a “vital mathematician” is the single motive we identified him,” Dillon says. 

Everyone within the Indexed Finance war room changed into convinced that they’d uncovered the staunch guy. All they’d to construct changed into stay up for the attacker to return the funds before the ultimatum deadline or proceed to publicly dox and file him to the police. The ordeal, on the opposite hand, changed into far from over; 20 minutes before the deadline, one amongst the DeFi developers that had volunteered to lend a hand the group name the hacker discovered that one amongst the attacker’s web sites changed into support on-line and up so far to incorporate additional deepest files. 

Upon rapid examination, the group realized that the attacker changed into only 18. “This stopped things ineffective within the tracks for esteem, a day-and-a-half of. We had been about to dox an 18-one year-passe,” Laurence explains, announcing that the newly surfaced files raised extreme moral concerns at some level of the group.

To Dox or No longer to Dox

Doxing and presumably reporting a younger person to the police didn’t sit down well with all americans on the group. Others disagreed. If he’s passe sufficient to settle $16 million in an account for trim contract exploit, he’s passe sufficient to face justice, concept one share of the group. Moreover, the teenager had spent his time following the attack taunting them on Twitter, writing occult poems, citing the “code is law” theory in his protection, and claiming that every one he did changed into perform a suave arbitrage switch.

Others on the group weren’t too convinced, thinking that perchance the tell had gone to his head. Perhaps he need to be granted rather beyond regular time to preserve into consideration the staunch magnitude of the tell he’s in, they concept. On the least, if law enforcement got intriguing, the skill ramifications on the attacker’s life is seemingly to be devastating. In a final-ditch effort to construct the attacker a mode out, Dillon messaged him on his deepest phone, stating all over every other time that he’s been identified and is seemingly to be reported to law enforcement except he provides the money support.

“LOL, factual success,” replied the attacker, which had the enact of straight ending all internal debates over the staunch and moral implications. At this level, it changed into all the map by. The Indexed Finance group straight printed every other blog post revealing every thing they knew regarding the attacker and gave all the evidence they’d gathered to a lawyer that contacted the police.

“If he had waited about a extra hours or days to mix the funds on Twister, we wouldn’t occupy acknowledged,” pause Laurence and Dillon, conceding that the fate of the sufferer’s funds and the attacker’s life had been now within the hands of law enforcement. “Or if he wasn’t this kind of cocky 13-one year passe.” 

Code is Law?

Despite the Indexed group’s response, the perpetrator doesn’t seem like budging. Several days after the incident, he posted a a tweet that he changed into having a explore to hire a group of the “most elite crypto lawyers”—ones willing to push the case to one of the best phases if wished be.

In maintaining with his tweets, the attacker believes that he didn’t construct something illegal but as a replacement done a suave arbitrage switch. Technically, that is correct. This wasn’t a hack within the pure sense of the observe, but a fancy sequence of transactions that “exploited” the operational good judgment of Indexed Finance’s trim contract to disproportionately profit the attacker. He didn’t technically “settle” the funds—he correct done a bunch of ultra-advanced trades to procure withhold of them.

The opposing argument that Laurence and the Indexed group execute is that arbitrage is purported to execute markets—no longer atomize them. To that level, Jason Gottlieb, a lawyer representing loads of americans intriguing with Indexed, replied to the attacker on Twitter, announcing “Code is no longer any longer law. Law is law. And what you presumably did changed into no longer a “suave switch.” It changed into market manipulation. It’s illegal. And folks trot to jail for it.”

“Code is law” is a gorgeous controversial doctrine circulating mostly at some level of the crypto neighborhood. It implies that that trim contracts on blockchains esteem Ethereum construct a brand new correct system with predefined, self-executing, and self-enforcing contractual relationships, the principles and situations of which would perhaps no longer be modified ex-post facto. In much less complex terms, it formulation that trim contracts replace correct codes within the digital realm and are ample for controlling what folks construct on-line. Thus, the attacker would argue, if the trim contract licensed the transaction, it’s horny sport—the transaction is correct.

Whether or no longer this argument can stand its flooring in court stays to be viewed. If the related law enforcement authorities mediate to pursue this case, and the attacker makes use of this thesis in his protection, it may perchance well perchance trace the first relate showdown between “code is law” and—well, the right law. 

Disclosure: On the time of writing, the writer of this arrangement owned ETH, SUSHI, and loads of different loads of cryptocurrencies.