Blackmail & Community Action Save Indexed Finance DAO from $90K Exploit: A DeFi ‘Space Trash’ Saga

Imagine a digital ghost town, once bustling with activity, now largely abandoned. This is the reality for many Decentralized Autonomous Organizations (DAOs) in the crypto space after the initial hype fades. Indexed Finance, a project that aimed to be a crypto index fund, found itself in this very situation. But in the world of DeFi, even dormant projects can hold dormant treasures – and attract unwanted attention. Recently, Indexed Finance became the stage for a drama involving blackmail, a near-successful exploit, and a last-minute community save.

A DAO on Life Support: The Indexed Finance Story

Indexed Finance launched in 2020 with the vision of creating index funds for the burgeoning crypto market. However, like many projects in the volatile crypto world, its trajectory wasn’t always smooth. A significant blow came in 2021 when a flash loan attack drained a staggering $15.8 million from its treasury. This event led to key contributors, Laurence Day and Dillon Kellar, stepping away from active development. Governance activity dwindled, with the last vote before this incident occurring in mid-2022, focused on recouping investor losses and legal proceedings.

But here’s a crucial aspect of DeFi: code is law, and protocols often remain operational even when community engagement wanes. Indexed Finance, despite its inactivity, still held funds in its treasury. As the price of its governance token, NDX, plummeted to mere fractions of a cent, opportunistic eyes began to watch.

The $90,000 Opportunity (and the Exploit Attempt)

With NDX tokens trading at rock bottom prices, gaining control of the DAO’s governance became surprisingly affordable. Here’s how the attempted exploit unfolded:

• Low Quorum, High Reward: Only 400,000 NDX tokens were needed to reach the governance quorum required to pass a proposal. At the time, this amount cost a mere $4,000.
• Stealth Proposal: An attacker acquired the necessary NDX and submitted a proposal. This proposal, masked under a generic title and a short two-day voting window, contained malicious code designed to drain the DAO’s treasury.
• The Target: The treasury, though depleted compared to its peak, still held around $92,000 worth of crypto assets, according to DeepDAO. A tempting prize for minimal investment.
• Quorum Reached: Leveraging their acquired NDX, the attacker quickly secured enough votes to reach the quorum, setting the stage for the exploit.

Blackmail Enters the Scene: A Twisted Turn of Events

Just when the exploit seemed inevitable, a bizarre twist occurred: blackmail. An observer, monitoring the on-chain activity, spotted the malicious proposal and recognized the impending danger. Instead of immediately alerting the community, this individual chose a more unconventional route: extortion.

• The Blackmailer’s Demand: This opportunistic watcher contacted the exploiter, demanding a 40% cut of the stolen funds in exchange for silence. Effectively, “pay me, or I’ll expose you and stop your attack.”
• Rejection and Revelation: The exploiter apparently refused to negotiate with the blackmailer. Spurned, the blackmailer decided to take a different path – public disclosure.
• Alerting the Veteran: The blackmailer contacted Laurence Day, a former key contributor to Indexed Finance, informing him of the ongoing exploit attempt.

Community to the Rescue: The Power of Decentralization (Sometimes)

Laurence Day, despite no longer being actively involved in Indexed Finance, still cared about the project and its principles. He took to X (formerly Twitter) to sound the alarm to his 30,000 followers.

In keeping with the principle of 'no, you shouldn't get to raid the protocols of inactively developed projects for profit by leveraging governance', I'd appreciate it if anyone who still happens to hold NDX that is delegated to themselves or another wallet they control to vote Against

Proposal: https://t.co/j5o1jXgM6g

— function() { 🔥 } 0xΩ (@functi0nZer0) November 18, 2023

His plea resonated with the remaining NDX holders. A wave of “Against” votes poured in, just in the nick of time. The proposal was narrowly defeated, with a margin equivalent to a mere $90 in NDX tokens. A tiny difference, but a massive victory against the exploit.

Turns out the person who tipped me off to the exploit first blackmailed the exploiter for 40% of the funds 😂

— function() { 🔥 } 0xΩ (@functi0nZer0) November 18, 2023

Déjà Vu? The Exploiter’s Track Record

Adding another layer to this already intriguing story, on-chain investigator ZachXBT linked the wallet address involved in the Indexed Finance attempt to another exploit targeting an inactive crypto project earlier in the month. This suggests a pattern of behavior, targeting dormant DAOs for potential treasury raids.

Wallet: 0x43270996271B99F1f03F01550f27816e84a8b767

Also involved in the https://twitter.com/SolendProtocol/status/1722704776157153641 exploit attempt. https://t.co/c5nYe5m7pP

— ZachXBT (@zachxbt) November 18, 2023

The Growing Problem of ‘DeFi Space Trash’

The Indexed Finance incident highlights a growing concern in the DeFi space: the accumulation of “space trash.” As projects fail or become inactive, their DAOs often remain on-chain, with smart contracts still functioning and treasuries holding funds. These abandoned protocols become prime targets for opportunistic attackers.

Jeremiah Smith, CEO of DeFi security service OpenCover, aptly described this issue: “The unintended side effect of having code governed by token holders that executes forever is that there [are] typically no plans for end of life. The ‘space trash’ problem of onchain applications has only begun.”

Key Takeaways and the Future of DAO Security

The Indexed Finance saga offers several important lessons for the DeFi community:

• Vigilance is Key, Even for Dormant Projects: Even inactive DAOs require monitoring. Treasuries, no matter how small, can attract malicious actors.
• Governance Tokens as Attack Vectors: Low-value governance tokens can be exploited to gain control over DAOs, especially in projects with low community participation.
• The Ethics of On-Chain Blackmail: The blackmailer’s actions raise ethical questions. While their intervention ultimately prevented the exploit, their initial approach was far from altruistic.
• Community Power Still Exists: Despite the project’s inactivity, a timely community response, sparked by a concerned individual, successfully defended against the attack.
• ‘Space Trash’ is a Real Threat: The DeFi space needs to develop strategies for managing and decommissioning inactive protocols and their treasuries securely to mitigate future risks.

Conclusion: A Narrow Escape and a Wake-Up Call

The Indexed Finance exploit attempt, thwarted by a combination of blackmail and community action, serves as a stark reminder of the evolving security landscape in DeFi. It underscores the need for continuous vigilance, even for projects that appear to be relics of the past. As the DeFi space matures, addressing the challenge of ‘space trash’ and developing robust mechanisms for DAO security will be crucial to ensure the long-term health and trustworthiness of decentralized finance.