The analysis of Indexed Finance Security Incident

0x.1 Background

Our monitoring system

0x1.1 Relevant Contract Addresses

  • MarketCapSqrtController: 0x120c6956d292b800a835cb935c9dd326bdb4e011
  • DEFI5: 0xfa6de2697d59e88ed7fc4dfe5a33dac43565ea41
  • CC10: 0x17ac188e09a7890a1844e5e65471fe8b0ccfadf3

0x1.2 Attack Transactions

  • Attack TX-I: 0x44aad3b853866468161735496a5d9cc961ce5aa872924c5d78673076b1cd95aa
  • Attack TX-II: 0xbde4521c5ac08d0033019993b0e7e1d29b1457e80e7743d318a3c27649ca4417

0x2. Mechanism of Indexed Finance

0x2.1 Binding Token

Figure 1
Figure 2

0x2.2 What is the Next?

Figure 3

0x3. Vulnerability Analysis

Figure 4
Figure 5
  • using one token’s liquidity to estimate the value of the entire pool;
  • the weights of the pool (_totalWeight) and the token (token.denorm) are not affected by the change of the liquidity. As a matter of fact, they are influenced by the Market Capacity of the external markets. Besides, their change is limited by the time period, i.e., increase or decrease 1% per hour.

0x4. Attack Analysis

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The OPM Breach Two Years Later: Why We Need a Marathon

Kaseya MSP supply chain attack, REvil hacking group demand $70 million

Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems

AWS IAM — Explained

</ OverTheWire > Bandit Level 17 → Level 18

Ropsten Ethereum Faucet: JSON Web Service

{UPDATE} Mocaz Hack Free Resources Generator

COVID-19 Apps Help Quarantine Efforts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

How to Make the BlockChain Attack “Blockable”

Knownsec Blockchain Lab | Discussion on the extractable value of miners (MEV)

Fairyproof’s Review of the Oracle Attack on DeFi Applications

Lunaray Security Scan Report