Page cover

The Indexed Finance Hack

Summary

Indexed Finance was a decentralized finance (DeFi) protocol built on Ethereum, designed to function like traditional mutual funds or exchange-traded funds (ETFs). Instead of holding a basket of equities, its index pools contained a mix of digital assets, offering users single-token exposure to diversified crypto portfolios. Its smart contracts were built largely from scratch, providing automated portfolio management while also introducing unique vulnerabilities.

On October 14, 2021, the protocol suffered a catastrophic exploit resulting in a $16 million loss of user funds. The attacker, 19-year-old math prodigy Andean Medjedovic, exploited a flaw in the re-indexing mechanism, manipulating smart contract logic to extract multimillion-dollar gains from investor funds. In a groundbreaking move, Indexed Finance pursued legal action against him—one of the first times a DeFi hack was challenged in traditional courts. A class-action lawsuit was filed, and after Medjedovic claimed that "code is law" and enlisted top crypto lawyers, a Canadian judge issued an arrest warrant in December 2021 when he failed to appear in court. Despite these legal efforts, the stolen funds remain unrecovered.

Key Addresses and Transcations

Index Pool: 0x5bd628141c62a901e0a83e630ce5fafa95bbdee4

Controller: 0x120c6956d292b800a835cb935c9dd326bdb4e011

DEFI5 Pool: 0xfa6de2697d59e88ed7fc4dfe5a33dac43565ea41

CC10 Pool: 0x17ac188e09a7890a1844e5e65471fe8b0ccfadf3

Exploiter Contract 1: 0x277e851587eb5da22b52a10f4788576e68150277

Exploiter Contract 2: 0xfbc2e6b188013fc5eacd9944e6b8ced2c467464a

Exploiter: 0xba5ed1488be60ba2facc6b66c6d6f0befba22ebe

Defi 5 Tx: 0x44aad3b853866468161735496a5d9cc961ce5aa872924c5d78673076b1cd95aa

CC10 Tx: 0xbde4521c5ac08d0033019993b0e7e1d29b1457e80e7743d318a3c27649ca4417

Decoding the Exploit

The exploit stemmed from a flaw in the re-indexing mechanism of the Controller contract, which allowed Medjedovic to manipulate price calculations in the DEFI5 and CC10 liquidity pools. He artificially distorted token valuations by leveraging $156 million in flash loans from Uniswap and Sushiswap, enabling withdrawals at manipulated exchange rates. The attack, spanning an entire Ethereum block with over 1,000 recorded events, is among the most sophisticated DeFi exploits ever executed.

Indexed Finance relied on a single reference token (UNI) to estimate total pool value, using Uniswap oracles and the extrapolatePoolValueFromToken function to price new tokens. When market fluctuations caused discrepancies, the updateMinimumBalance function adjusted virtual balances to prevent rebalancing delays.

Understanding Reindex Pool function using AI feature of Blockscope's Contract Analysis tool

Medjedovic exploited this system by triggering a re-index, making UNI the reference token, and using flash loans to acquire nearly all the UNI in the pools. With valuation based solely on the diminished UNI balance, the system miscalculated pool worth—DEFI5, for example, was valued at only ~$300K despite holding over $100M in assets. This error allowed him to mint DEFI5 tokens at an undervalued rate and redeem them for real assets like AAVE, COMP, MKR, SNX, and CRV, draining millions before repaying the flash loans and netting $11M.

On-Chain Activity

On-chain analysis using the Tracer tool mapped the flow of funds and transaction interactions across all involved addresses. This visualization detailed flash loan transactions, fraudulent profit extraction, and asset movements, exposing the key participants and the intricate transaction patterns that enabled the exploit.

Tracer showing the Indexed Finance exploit

To understand the exploit better, let's study the DEFI5 Pool exploit and see how the exploiter manipulated the contract and made fraudulent gains.

Breakdown and Analysis

1. Initiating the Re-Indexing Process

At the time of the attack, the DEFI5 index pool was scheduled for a re-indexing event following three weekly re-weighs, which allowed any participant to trigger a re-index. Medjedovic invoked the reindexPool function to add SUSHI to the index, joining UNI, AAVE, COMP, SNX, CRV, and MKR. Since UNI was the first token in the list, its price was used to approximate the pool’s total value. This process also established a minimum balance for SUSHI, initially set at 11,926 SUSHI (~$126k).

Tx. Hash: 0x44aad3b853866468161735496a5d9cc961ce5aa872924c5d78673076b1cd95aa

Transaction Decoder displaying the trace call of the DEFI 5 Pool during re-indexing
Logs from Transaction Decoder showing Sushi Token added after re-indexing

2. Borrowing and Lending Tokens

The exploit contract 0x277e851587eb5da22b52a10f4788576e68150277 secured a flash loan of approximately $156 million in tokens—including UNI, AAVE, COMP, SNX, CRV, and MKR—from SushiSwap and Uniswap V2. These borrowed assets were used strategically to manipulate the pool’s valuation.

Trace call revealing flash loans taken by the exploiter
Multimillion worth of assets incoming through flash loans

3. Draining UNI to Distort the Pool Value

Medjedovic repeatedly swapped UNI—subject to MAX_IN_RATIO constraints—across multiple transactions. This significantly depleted the UNI balance in the pool, leading to a gross underestimation of its total value. To compound the effect, he also lent the borrowed tokens via SushiSwap to increase his leverage.

Token transfers indicate UNI being swapped for AAVE to drain UNI’s balance from the pool

4. Manipulating Minimum SUSHI Balance

With the UNI balance artificially diminished, Medjedovic invoked the updateMinimumBalance function. Since the Controller relied on the UNI balance for pricing, the recalculated pool value plunged—DEFI5 was mispriced at only 29,851 SUSHI (~$300k) despite containing over $100M in assets. Exploiting this discrepancy, he minted DEFI5 tokens using the undervalued UNI in multiple transactions, which inflated the pool supply dramatically.

Tx. Hash: 0x44aad3b853866468161735496a5d9cc961ce5aa872924c5d78673076b1cd95aa

Exploiter minting DEFI5 tokens using cheaply acquired UNI

Next, he borrowed SUSHI to mint additional DEFI5 tokens at the inflated valuation and burned them in cycles to extract the underlying assets.

Minting DEFI5 tokens using Sushi

6. Extracting Liquidity and Paying Flash Loans

Using the joinswapExternAmountIn function, he exploited the manipulated SUSHI weight to acquire large amounts of LP tokens. He then used exitPool to convert these tokens back into underlying assets, systematically draining UNI, AAVE, COMP, SNX, CRV, MKR, and SUSHI. By repeating this cycle, he extracted liquidity, repaid the flash loans, and exited with approximately $11 million in assets.

Trace call shows the exploiter exiting the pool by withdrawing funds
Exploiter profited $11M+ by artificially inflating rewards

A similar tactic was applied to the CC10 Pool, yielding additional profits.

Tx. hash: 0xbde4521c5ac08d0033019993b0e7e1d29b1457e80e7743d318a3c27649ca4417

Exploiter 2 contract transferring profits from the CC10 Pool to the main exploiter

Post Exploit

On-chain forensics provided a breakthrough in identifying the attacker. Indexed Finance Owners Dillon and Laurence noticed suspicious activity from a Discord user named "UmbralUpsilon," who later changed his username to "BogHolder#1688" and deleted messages. Further investigation revealed that BogHolder#1688 had won 4th place in a coding competition, with the prize money sent to an Ethereum address linked to Tornado Cash—this address matched withdrawals from the exploiter’s wallet. Blockchain analysis then connected these activities to a GitHub account ("mtheorylord1") tied to Medjedovic’s email, conclusively unmasking him as the attacker.

Indexed Finance even offered him 10% of the stolen assets, which he refused and taunted Dillion and Laurence instead. Moreover, a legal case is still underway against Medjedovic in Ontario, Canada, and an indictment has been read against him in a district court of Brooklyn, NY, marking a significant effort to hold a DeFi hacker accountable through traditional legal channels. In a recent tweet, Laurence shared an old email, which he sent to Medjedovic back in 2021.

Post Mortem Report of the exploit by Indexed Finance: https://ndxfi.medium.com/indexed-attack-post-mortem-b006094f0bdc

PreviousThe Legal Pursuit of Andean MedjedovicNextThe Second Allegation

Last updated