On October 14th, 2021 it was just your ordinary day in DeFi.
Everything was eerily quiet… Then the exploit happened.
Nobody was prepared for the 19 year old math prodigy that was about to rock the world with this $16M attack.
Everything was eerily quiet… Then the exploit happened.
Nobody was prepared for the 19 year old math prodigy that was about to rock the world with this $16M attack.
Meet Andean Medjedovic (on the right). He’s a young Canadian mathematician who spends his time writing complex mathematical research…
& in his free time, writes some of the most advanced exploits known to DeFi.
& in his free time, writes some of the most advanced exploits known to DeFi.
On the cursed Thursday evening of the attack, the Indexed finance team heard the blood-turning words that every DeFi developer fears most:
“Holy shit, Indexed has been attacked.”
$16M was in the hands of an attacker, & the treasury didn’t have funds to cover all of their losses
“Holy shit, Indexed has been attacked.”
$16M was in the hands of an attacker, & the treasury didn’t have funds to cover all of their losses
Indexed finance was unique. Its code was built mostly from scratch, and it offered crypto index portfolios in a single token.
Andean, the 19 year old attacker was able to manipulate the prices of assets in pools with a complex arbitrage transaction.
Andean, the 19 year old attacker was able to manipulate the prices of assets in pools with a complex arbitrage transaction.
Team members at Indexed quickly sprang in to action in hopes to save what could be salvaged.
Upon plugging the exploit txs in a debugger, they quickly realized how bad the situation was.
It took many attempts to even open it correctly because of how big it was.
Upon plugging the exploit txs in a debugger, they quickly realized how bad the situation was.
It took many attempts to even open it correctly because of how big it was.
Once working, the debugger finally revealed a mind-blowing tx.
At first, nobody knew what they were looking at.
It was so complex that it made up of more than 1,000 events, & the bundle took up an entire block on the blockchain.
Here’s just a small glimpse of its entirety:
At first, nobody knew what they were looking at.
It was so complex that it made up of more than 1,000 events, & the bundle took up an entire block on the blockchain.
Here’s just a small glimpse of its entirety:
It took an entire 8 hours and army of solidity developers in a “war room” to determine the design of the exploit.
Now it was about getting funds back to users.
Unlike many other exploits in DeFi, the story does not end here…
Now it was about getting funds back to users.
Unlike many other exploits in DeFi, the story does not end here…
Dillon, a developer at Indexed claims to have had a gut feeling from the moment he heard about the exploit.
This dev designed the smart contracts, & admitted he had an intuitive feeling that the function could be exploited, but was unable to hack it himself.
What happened next?
This dev designed the smart contracts, & admitted he had an intuitive feeling that the function could be exploited, but was unable to hack it himself.
What happened next?
https://twitter.com/d1ll0nk/status/1448856748467630085
Indexed developers Dillon and Laurence did what anyone else would do.
Started digging.
A month before, the pair had been suspiciously approached by an odd individual on Discord, who had the name “UmbralUpsilon.”
He asked them about technical details about the protocol…
Started digging.
A month before, the pair had been suspiciously approached by an odd individual on Discord, who had the name “UmbralUpsilon.”
He asked them about technical details about the protocol…
During the chat, the Discord user claimed to be building a small arbitrage bot.
Both Dillon & Laurence took note of how suspiciously specific his questions were & how unrelated they were to his initial inquiry.
This would prompt the developers to read over the messages again…
Both Dillon & Laurence took note of how suspiciously specific his questions were & how unrelated they were to his initial inquiry.
This would prompt the developers to read over the messages again…
Only to find that the user deleted half of their conversation.
Some more digging would lead them to find that “UmbralUpsilon”had now changed their name to “BogHolder#1688.”
This was the bombshell that would lead to a real breakthrough in the case the next day…
Some more digging would lead them to find that “UmbralUpsilon”had now changed their name to “BogHolder#1688.”
This was the bombshell that would lead to a real breakthrough in the case the next day…
When a smart contract auditing platform revealed BogHolder#1688 was a regular and active member of their community.
He had previously won 4th place in a bounty for a coding contest, with the rewards being sent to his ETH address.
He had previously won 4th place in a bounty for a coding contest, with the rewards being sent to his ETH address.
This address coincidentally had four deposits to Tornado Cash, a privacy tool, which matched the withdrawals made by the exploiter address a day later.
With this information, the devs were able to contact centralized exchanges that he had previously interacted with…
With this information, the devs were able to contact centralized exchanges that he had previously interacted with…
Which required KYC (know your customer procedures), meaning Andean’s identity was ousted from lack of OpSec.
The final dagger came from small connections to a GitHub page with the name “mtheorylord1.”
Inspecting the git cli, the team found a 12th grade project with his email.
The final dagger came from small connections to a GitHub page with the name “mtheorylord1.”
Inspecting the git cli, the team found a 12th grade project with his email.
If all of this information still wasn’t crazy enough for you, it gets even better.
Those who are familiar with DeFi, know stuff like this doesn’t happen often.
Indexed finance was actually in a unique position to fight back with actual proof.
Those who are familiar with DeFi, know stuff like this doesn’t happen often.
Indexed finance was actually in a unique position to fight back with actual proof.
So, they filed a class action lawsuit against the teen.
They were on track to setting legal precedent, being the 1st time in history any government actively pursued a DeFi hacker.
Unfortunately, 19 year old math prodigy Andean Medjedovic was not going down without a fight.
They were on track to setting legal precedent, being the 1st time in history any government actively pursued a DeFi hacker.
Unfortunately, 19 year old math prodigy Andean Medjedovic was not going down without a fight.
https://twitter.com/laurence_e_day/status/1473753308233969670
In a bizarre tweet, he took offense, asking for “the most elite crypto lawyers” to help him fight against the case.
He appears to be making the case that “code is law,” & he did nothing other than use the contract as it was deployed.
He appears to be making the case that “code is law,” & he did nothing other than use the contract as it was deployed.
https://twitter.com/zetazeroes/status/1451067152153423875
Inevitably, this facade dissolved in late 2021, when a judge in Canada issued a arrest warrant for Andean "Andy" Medjedovic, the 19-year-old math whiz.
This came after Andean failed to attend a face-to-face hearing in court in December.
Funds have still not been returned.
This came after Andean failed to attend a face-to-face hearing in court in December.
Funds have still not been returned.
Anyways, I hope you all enjoyed! I tried something different with this one… 🥐
I’m going to be documenting more of the crazy stuff that occurs here every single day.
This is an absolutely wild story not enough people talk about: bakery.fyi/indexed-exploi…
I’m going to be documenting more of the crazy stuff that occurs here every single day.
This is an absolutely wild story not enough people talk about: bakery.fyi/indexed-exploi…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
