Indexed Finance was exploited via a sophisticated oracle manipulation attack that inflated token prices within index pools to steal $16M.
The attacker exploited a flaw in Indexed Finance's rebalancing mechanism and pool token pricing. By manipulating the price of low-weight tokens within the index pools (using flash-loaned funds to buy up tokens), they inflated the calculated value of those tokens. The index's controller then allowed the attacker to swap artificially overvalued tokens for undervalued pool assets at the manipulated rate.
Stolen ETH and tokens moved through Tornado Cash. Indexed Finance offered a $500K bounty for fund return. A 18-year-old attacker was eventually identified through social engineering by Indexed Finance community members. Legal proceedings were launched in Canada, where the attacker was located. Attacker refused to return funds, claiming it was a legitimate arbitrage.
0x44aad3b853866468161735496a5d9cc8a0fb3e4c5e678c6f586530c441e4d7a7