- Indexed Finance, a DeFi protocol for crypto-based indices, was exploited for $16 million last month.
- The attacker executed an elaborate flash loan attack to exploit the functional logic of one of the project’s smart contracts.
- This is the story of how Laurence Day and Dillon Kellar, two core members of the Indexed Finance team, managed to identify the perpetrator.
It’s Oct. 14, eight o’clock in the evening. Laurence Day, the guy doing “a little bit of everything” for Indexed Finance, is having dinner with his wife when his phone goes off. He checks—it’s Lito, Hop Protocol developer and Indexed advisor, sending an image of a transaction showing a ton of DEFI5 tokens getting burned and a ton of UNI tokens being moved, followed by several question marks.
His blood boiling in panic, Laurence immediately jumps up, flips his dinner, tells his wife to hold off, and rushes to the shed nearby his house. The shed hosts Laurence’s workstation, the place from where he and his colleague on the other side of the planet steward the Indexed protocol—a DeFi product for crypto-based indices that handled more than $70 million at its peak.
“I sit down, Telegram is going off, Discord is going off, question marks everywhere,” he recalls, confessing that all he could do in that moment was tweet “we’re looking into it” and call Dillon Kellar, Indexed’s sole Solidity developer. As they’ll both soon come to find out, Dillon is the person who wrote the smart contract that was exploited for a total of $16 million.
“Holy shit, Indexed has been attacked,” he told Dillon over the phone. Dillon could only utter one word in response: “What?!”
Dillon, frozen in shock, immediately hung up the phone and appeared on Telegram 30 seconds later. This was to be the beginning of the most stressful time of their lives—three consecutive days investigating with barely a moment to sleep. The two-person war room is now in an emergency state. “How does this happen?” they wondered. Indexed had been running for 10 months without a major incident. Exploits like this typically happen to forked protocols, usually soon after deployment, but this one was different. Indexed’s smart contracts were unique, written from scratch, and functioning as designed for over 10 months. How could this be?
Deleted Chat Logs
With no time to waste, Dillon and Laurence immediately got to work. While Laurence dealt with the community blowback on social media, Dillon quickly identified the general area that caused the attack, realized that the rest of the pools were safe, and—with help from Daniel Luka and Andrei Simi, a pair who run a small smart contract auditing firm called Monoceros Alpha—started digging through transactions to figure out precisely what happened.
Dillon immediately knew that the exploit was linked to a particular function related to how new assets are introduced to the pool. “As soon as we saw SUSHI tokens in the DEFI5 index, we knew—that had to be it,” he says. He admits that, when he was writing the initial smart contracts, he was concerned about how new assets are introduced to the pools, so he had an intuitive feeling the function could potentially be exploited. “I spent weeks testing everything to convince myself it couldn’t actually be exploited. Once the attack happened, I knew I had missed something there.”
The complexity of the exploit itself was astounding. Dillon says that many of his teammates couldn’t open the debugger on their computers for a while because of how big it was. The exploit included more than 1,000 events, and the transaction bundle took up an entire block on the blockchain. Most DeFi exploits usually have far fewer events. After eight grueling hours of investigating, Dillon and Laurence felt they had a grasp on the situation, published a post-mortem on the Indexed Medium blog, and tried calling it a day.
“At that point, all that we knew was how this happened and that everything else is safe,” recalls Laurence, who, at about seven o’clock that morning, tried going to bed. “I put my head on the pillow, trying to calm myself down when—it hits me! We were speaking with this person… if they’re up, they must’ve noticed this; they might be sending a sympathetic message.”
Laurence and Dillon recalled being approached about a month before the incident by a person using the pseudonym “UmbralUpsilon” on Discord. They had contacted them to inquire about specific protocol parameters under the pretense of writing a general-purpose crypto arbitrage bot. Although their questions were suspiciously specific and often irrelevant for the particular purpose of building an arbitrage bot, Laurence and Dillon obliged, answered all of the questions, and kept in touch.
Unable to brush off the thought and fall asleep, Laurence opened up his chat with this person and found that they had deleted their half of the conversation. He then messaged Dillon to tell him what happened, and Dillon found the same—the conversations were gone. “Hmm, OK, this isn’t suspicious at all,” Laurence admits thinking to himself. He started digging around and quickly found that UmbralUpsilon had changed his Discord name to “BogHolder#1688.”
Something didn’t feel right.
Following the Breadcrumbs
The following day, on Oct. 15, Indexed Finance got its first tangible lead. Someone from the smart contract auditing platform Code 423n4 (C4) messaged Indexed on Discord, revealing that BogHolder#1688 was also an active member of their community and a fairly competent “Warden” who previously had won fourth place in a coding contest and received a reward.
The bounty was sent to an Ethereum address which, upon further inspection, revealed that the account had made four deposits to Tornado Cash, a decentralized privacy-preserving transaction tumbler. The outputs for the deposits matched the withdrawals of the exploit address. “They were all offset from the deposits by less than an hour,” explained Dillon, adding that this pretty much solidified their suspicions that the Discord user BogHolder#1688 was responsible for the attack.
“Now we had the account that funded the exploit address and the Discord username behind it,” Laurence recalls. After digging through the transaction history, Dillon and his colleagues in the war room found that the account had links to two centralized exchanges that required completing KYC procedures, meaning they could now reach out to them to try to obtain the attacker’s real identity. Upon realizing this, they published a blog post revealing everything they had found up until that moment and gave BogHolder#1688 an ultimatum: return the funds minus a 10% whitehat bounty or face law enforcement.
While awaiting a response from the exchanges, Indexed received another tip on Discord revealing that BogHolder#1688 had registered with Code423n4 using a GitHub account named “mtheorylord1.” This account had no previous or future activity on GitHub. However, searching this username on Google revealed another GitHub account, “mtheorylord,” which in 2016 had made a single commit, creating a repository titled “Grade-12-Project.”
Inspecting the Git command line, the team was able to find an email associated with the account, which included a domain owned by a high school in Canada. After discovering this email, the team was able to link it to a “mtheorylord” Wikipedia account, which, in 2016, edited a Wiki page about a game show for high school students to include a name (which matched the same email) with the descriptor, “Notable mathematician.”
From there, following the paper trail was easy. They ran a search on the name and found a website that indicated that it belonged to a Masters’ student of pure mathematics at the University of Waterloo. After doing a reverse IP search on that domain, they found another website, which led them to an Urbit Discord server frequented by none other than BogHolder#1688. There, BogHolder#1688 had posted a link to an Urbit Planet NFT they owned. It turned out that the Ethereum address that owned the token could easily be traced back to an address associated with the exploit.
At this point, the team had it all: the exploit address, the account that funded it with links to centralized exchanges, the attacker’s Discord, GitHub, and StackExchange accounts, their email address, the high school and university they attended, home address, phone number, and most important of all—his full name.
“Doesn’t wait to Tornado, uses the same username, reveals his email in a GitHub commit… utter, utter rookie moves,” says Laurence in disbelief. While the exploit itself was certainly impressive, Dillon adds, the hacker had terrible OPSEC every step of the way. “Posting on Wikipedia five years ago using his full name to say that he’s a “notable mathematician” is the only reason we identified him,” Dillon says.
Everyone in the Indexed Finance war room was convinced that they’d uncovered the right guy. All they had to do was wait for the attacker to return the funds before the ultimatum deadline or proceed to publicly dox and report him to the police. The ordeal, however, was far from over; 20 minutes before the deadline, one of the DeFi developers that had volunteered to help the team identify the hacker found that one of the attacker’s websites was back online and updated to include additional personal information.
Upon quick examination, the team realized that the attacker was only 18. “This stopped things dead in the tracks for like, a day-and-a-half. We were about to dox an 18-year-old,” Laurence explains, saying that the newly surfaced information raised serious ethical concerns within the team.
To Dox or Not to Dox
Doxing and potentially reporting a teenager to the police didn’t sit well with everyone on the team. Others disagreed. If he is old enough to steal $16 million in an elaborate smart contract exploit, he’s old enough to face justice, thought one part of the team. Besides, the teenager had spent his time following the attack taunting them on Twitter, writing occult poems, citing the “code is law” theory in his defense, and claiming that all he did was execute a clever arbitrage trade.
Others on the team weren’t too convinced, thinking that perhaps the situation had gone to his head. Maybe he should be granted a bit more time to consider the true magnitude of the situation he’s in, they thought. After all, if law enforcement got involved, the potential ramifications on the attacker’s life could be devastating. In a last-ditch effort to provide the attacker a way out, Dillon messaged him on his personal phone, stating once again that he’s been identified and will be reported to law enforcement unless he gives the money back.
“LOL, good luck,” responded the attacker, which had the effect of immediately ending all internal debates over the moral and ethical implications. At this point, it was all over. The Indexed Finance team immediately published another blog post revealing everything they knew about the attacker and gave all the evidence they had gathered to a lawyer that contacted the police.
“If he had waited a few more hours or days to mix the funds on Tornado, we wouldn’t have known,” conclude Laurence and Dillon, conceding that the fate of the victim’s funds and the attacker’s life were now in the hands of law enforcement. “Or if he wasn’t such a cocky 13-year old.”
Code is Law?
Despite the Indexed team’s response, the perpetrator does not appear to be budging. Several days after the incident, he posted a a tweet that he was looking to hire a team of the “most elite crypto lawyers”—ones willing to push the case to the highest levels if needed be.
Based on his tweets, the attacker believes that he didn’t do anything illegal but instead executed a clever arbitrage trade. Technically, that is correct. This wasn’t a hack in the pure sense of the word, but a complex series of transactions that “exploited” the operational logic of Indexed Finance’s smart contract to disproportionately benefit the attacker. He didn’t technically “steal” the funds—he just executed a bunch of ultra-complex trades to get hold of them.
The opposing argument that Laurence and the Indexed team make is that arbitrage is supposed to make markets—not break them. To that point, Jason Gottlieb, a lawyer representing a number of individuals involved with Indexed, responded to the attacker on Twitter, saying “Code is not law. Law is law. And what you did was not a “clever trade.” It was market manipulation. It’s illegal. And people go to prison for it.”
“Code is law” is a relatively controversial doctrine circulating mostly within the crypto community. It implies that that smart contracts on blockchains like Ethereum form a new legal system with predefined, self-executing, and self-enforcing contractual relationships, the rules and conditions of which cannot be changed ex-post facto. In simpler terms, it means that smart contracts replace legal codes in the digital realm and are sufficient for controlling what people do online. Thus, the attacker would argue, if the smart contract permitted the transaction, it’s fair game—the transaction is legal.
Whether this argument can stand its ground in court remains to be seen. If the relevant law enforcement authorities decide to pursue this case, and the attacker uses this thesis in his defense, it could mark the first direct showdown between “code is law” and—well, the actual law.
Disclosure: At the time of writing, the author of this feature owned ETH, SUSHI, and several other cryptocurrencies.