The analysis of Indexed Finance Security Incident

0x.1 Background

At 02:38 (UTC+8) on Oct 15th, 2021, our internal monitoring system (we just released an online system to engage the community: caught suspicious flashloan transactions:

Our monitoring system

0x1.1 Relevant Contract Addresses

  • MarketCapSqrtController: 0x120c6956d292b800a835cb935c9dd326bdb4e011
  • DEFI5: 0xfa6de2697d59e88ed7fc4dfe5a33dac43565ea41
  • CC10: 0x17ac188e09a7890a1844e5e65471fe8b0ccfadf3

0x1.2 Attack Transactions

  • Attack TX-I: 0x44aad3b853866468161735496a5d9cc961ce5aa872924c5d78673076b1cd95aa
  • Attack TX-II: 0xbde4521c5ac08d0033019993b0e7e1d29b1457e80e7743d318a3c27649ca4417

0x2. Mechanism of Indexed Finance

To better understand the vulnerability/attack, we use DEFI5 (i.e., the pool hacked by the attacker) to demonstrate the mechanism of Indexed Finance.

0x2.1 Binding Token

DEFI5 is designed to provide the trade service for Top 5 tokens of DeFi projects of Ethereum. Specifically, Indexed Finance will update the token rankings based on their market cap through MarketCapSqrtController. Because the sort of Top 5 tokens might change as time goes by, the number of tokens used by the DEFI5 pool may bigger than 5, as shown in the following code:

Figure 1
Figure 2

0x2.2 What is the Next?

After the token binding, DEFI5 has to set a variable named ready (that indicates the token status) to to be true to enable the trade:

Figure 3

0x3. Vulnerability Analysis

The vulnerable code belongs to updateMinimumBalance function of MarketCapSqrtController.

Figure 4
Figure 5
  • using one token’s liquidity to estimate the value of the entire pool;
  • the weights of the pool (_totalWeight) and the token (token.denorm) are not affected by the change of the liquidity. As a matter of fact, they are influenced by the Market Capacity of the external markets. Besides, their change is limited by the time period, i.e., increase or decrease 1% per hour.

0x4. Attack Analysis

The attack consists of the following 9 steps:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.