After a $16 million hack in 2021, Indexed Finance, an Ethereum-based project, was able to successfully thwart two attempts at hijacking. The founders of the project will regain control of the decentralised autonomous organisation (DAO), with the intention of distributing the leftover money to the victims of the 2021 hack.
Former core contributor Laurence Day described in detail how the Indexed community thwarted two attempts to take control of the remaining treasury of the Indexed DAO in a thread on X (previously Twitter). Both attackers obtained substantial quantities of the NDX token for the system with the intention of using malicious proposals to seize control of the DAO’s holdings of digital assets, which totaled about $120,000.
The original plan was defeated by Day and other community members who organised the Indexed DAO for votes against it. The proposal had no title or description, seemingly to avoid detection. Within an hour, the attacker’s request was almost approved, but there were enough “No” votes to stop it from passing.
But Day feared a copycat attempt because the Indexed team had to publicly coordinate votes against the proposition. Day also explained in his post how a further vulnerability can put money outside of the DAO’s treasury at risk if it falls into hostile hands.
The Indexed DAO accepted a “poison pill” proposal, giving it the power to burn any remaining treasury funds in order to discourage future attacks and lessen the likelihood of one.
According to on-chain messages, the attacker first tried to bargain for half of the remaining treasure upon the expected second attack. In response, Indexed founder Dillon Kellar offered $10,000 in Dai and threatened to burn the entire treasury if the assailant declined.
After attempting to counter-negotiate for $17,000 with just four hours remaining until Kellar’s ultimatum, the attacker accepted the first offer and withdrew their harmful proposition. With plans to use the remaining treasury funds to reimburse victims of the 2021 hack, Day, Kellar, and the pseudonymous co-founder PR0 will once again wield a multisig to oversee the DAO.