Indexed Finance, an Ethereum-based project that fell victim to a $16 million hack in 2021, has successfully thwarted two attempted takeovers. The project’s Decentralized Autonomous Organization (DAO) will soon revert control to its original founders, who intend to allocate remaining funds to those affected by the 2021 security breach.
Former core contributor Laurence Day detailed the community's efforts on X (formerly Twitter), outlining the challenges faced in countering two hijacking attempts on the Indexed DAO's remaining vaults. Both attackers managed to acquire a significant volume of the protocol's NDX tokens and sought control over approximately $120,000 in digital assets held by the DAO through malicious proposals.
The initial attack proposal was crafted without a title or description, seemingly to evade detection, but was defeated when Day and other community members organized the Indexed DAO to vote against it. Within an hour, the attacker's proposal nearly succeeded, but enough "no" votes were cast to prevent its passage. However, as public coordination is required for voting against such proposals, Day foresees the potential for copycat attacks. Moreover, according to Day’s post, if unfriendly control is established over the DAO's treasury, additional vulnerabilities may threaten funds beyond the treasury itself.
To mitigate the risk of future attacks, the Indexed DAO has approved a “poison pill” proposal, empowering it to burn remaining treasury funds if necessary, serving as a deterrent to potential attackers. In response to the second attack, the attackers initially sought negotiation for 50% of the remaining treasury. Index founder Dillon Kellar countered by suggesting the issuance of $10,000 worth of Dai and warned that refusal would result in the entire vault being burned.
As Kellar's ultimatum approached, and after attempting to renegotiate for $17,000, the attacker ultimately agreed to the initial offer and withdrew the malicious proposal. Subsequently, the DAO's authority will be transferred back to multisigs controlled by Day, Kellar, and pseudonymous co-founder PR0, with plans in motion to utilize the remaining treasury funds to compensate victims affected by the 2021 hack.
