Blackmail was all that stood between the remaining funds in Indexed Finance’s crypto treasury and a devastating governance token attack.
When a watcher of the neglected Indexed Finance DAO noticed a malicious proposal meant to drain the DAO’s remaining $90,000, they demanded a share of the proposer’s profits to avoid outing the exploiter.
The proposer apparently declined, leading the blackmailer to alert former Indexed contributor Laurence Day, who then told his 30,000 followers on social media platform X of the attack.
Hours later, the governance proposal was narrowly defeated.
Indexed Finance launched in 2020 as an index fund for crypto but has seen activity mostly end in the time since a 2021 flash loan attack drained $15.8 million from the DAO’s coffers.
Since the attack, Day and developer Dillon Kellar stopped working on the protocol, and before last week, Indexed governance hadn’t seen a vote since mid-2022 when the treasury was recouping investor losses and funding a class-action lawsuit.
But in DeFi, protocols remain operational regardless of whether users exist. And as Indexed’s NDX governance token slid to a fraction of a cent, someone spied an opportunity.
400,000 NDX ($4,000 at the time) was needed to reach a governance quorum and pass a proposal. The exploiter made a nameless proposal with a two-day voting window containing code to drain Indexed’s depleted-but-still-existent treasury — containing some $92,000, per DeepDAO.
With the required NDX, the exploiter reached a quorum of votes in favor.
Read Also: Indexed Finance Attacker Attempted Another Exploit Relevant Feed
In the proposal’s waning hours, Day, the former Indexed contributor, learned of the exploit and made a plea to his followers on X.
“In keeping with the principle of ‘no, you shouldn’t get to raid the protocols of inactively developed projects for profit by leveraging governance’, I’d appreciate it if anyone who still happens to hold NDX that is delegated to themselves or another wallet they control to vote Against,” Day wrote.
Hi everyone,
There's currently an ongoing hostile governance attack taking place against the remnants of the Indexed Finance treasury – 36K in DAI and approx. 48K in NDX before slippage.
I never thought I'd have to post about Indexed governance again (it's been two years since… pic.twitter.com/mUUVMDnq4Q
— laurence (@functi0nZer0) November 18, 2023
“Against” votes flowed in and the proposal was defeated by a margin of about $90 in NDX.
Day alleges the person who tipped him off to the attack had first blackmailed the exploiter asking for 40% of the funds.
Absolutely *zero* credit to the person who warned us, because he sent a message to the proposer saying that he'd only warn us if he didn't get 40% of the proceeds
Asshole pic.twitter.com/8arD1zQwwg
— laurence (@functi0nZer0) November 18, 2023
On-chain sleuth ZachXBT linked the wallet address of the attempted exploit to a second attack on an inactive crypto project earlier this month.
On-chain is where things get interesting.
The person behind the Indexed Finance governance attack also attempted one on @relevantfeed via 0x9b9 earlier this month.
0x9b9 was funded by Alex Chon an alleged DPRK IT worker who has been fired from at least 2 roles for suspicious… https://t.co/vXYAmzPxnn pic.twitter.com/nXoVDaWYvZ
— ZachXBT (@zachxbt) November 18, 2023
Attacks on the treasuries of decrepit DAOs are becoming more common as failed projects accumulate but immutable code keeps funds sitting on-chain. A Solana-based DAO was exploited for $230,000 last month when a malicious proposal went unnoticed.
“The unintended side effect of having code governed by token holders that executes forever is that there [are] typically no plans for end of life,” Jeremiah Smith, CEO of DeFi security service OpenCover, said in a Telegram message. “The ‘space trash’ problem of onchain applications has only begun.”
