THELOGICALINDIAN - An central attending into the war allowance and the contest that led to the doxing of the hacker that drained Indexed Finance of 16 actor aftermost ages
It’s Oct. 14, eight o’clock in the evening. Laurence Day, the guy accomplishing “a little bit of everything” for Indexed Finance, is accepting banquet with his wife back his buzz goes off. He checks—it’s Lito, Hop Protocol developer and Indexed advisor, sending an angel of a transaction assuming a ton of DEFI5 tokens accepting austere and a ton of UNI tokens actuality moved, followed by several catechism marks.
His claret baking in panic, Laurence anon all-overs up, flips his dinner, tells his wife to authority off, and rushes to the afford adjacent his house. The afford hosts Laurence’s workstation, the abode from area he and his aide on the added ancillary of the planet abettor the Indexed protocol—a DeFi artefact for crypto-based indices that handled added than $70 actor at its peak.
“I sit down, Telegram is activity off, Discord is activity off, catechism marks everywhere,” he recalls, confessing that all he could do in that moment was cheep “we’re attractive into it” and alarm Dillon Kellar, Indexed’s sole Solidity developer. As they’ll both anon appear to acquisition out, Dillon is the being who wrote the acute arrangement that was exploited for a absolute of $16 million.
“Holy shit, Indexed has been attacked,” he told Dillon over the phone. Dillon could alone absolute one chat in response: “What?!”
Dillon, arctic in shock, anon afraid up the buzz and appeared on Telegram 30 abnormal later. This was to be the alpha of the best demanding time of their lives—three afterwards canicule investigating with almost a moment to sleep. The two-person war allowance is now in an emergency state. “How does this happen?” they wondered. Indexed had been active for 10 months afterwards a above incident. Exploits like this about appear to angled protocols, usually anon afterwards deployment, but this one was different. Indexed’s acute affairs were unique, accounting from scratch, and activity as advised for over 10 months. How could this be?
Deleted Chat Logs
With no time to waste, Dillon and Laurence anon got to work. While Laurence dealt with the association blowback on amusing media, Dillon bound articular the accepted breadth that acquired the attack, accomplished that the blow of the pools were safe, and—with advice from Daniel Luka and Andrei Simi, a brace who run a baby acute arrangement auditing close alleged Monoceros Alpha—started digging through affairs to amount out absolutely what happened.
Dillon anon knew that the accomplishment was affiliated to a accurate action accompanying to how new assets are alien to the pool. “As anon as we saw SUSHI tokens in the DEFI5 index, we knew—that had to be it,” he says. He admits that, back he was autograph the antecedent acute contracts, he was anxious about how new assets are alien to the pools, so he had an automatic activity the action could potentially be exploited. “I spent weeks testing aggregate to argue myself it couldn’t absolutely be exploited. Once the advance happened, I knew I had absent article there.”
The complication of the accomplishment itself was astounding. Dillon says that abounding of his teammates couldn’t accessible the debugger on their computers for a while because of how big it was. The exploit included added than 1,000 events, and the transaction array took up an absolute block on the blockchain. Most DeFi exploits usually accept far beneath events. After eight arduous hours of investigating, Dillon and Laurence acquainted they had a butt on the situation, appear a post-mortem on the Indexed Average blog, and approved calling it a day.
“At that point, all that we knew was how this happened and that aggregate abroad is safe,” recalls Laurence, who, at about seven o’clock that morning, approved activity to bed. “I put my arch on the pillow, aggravating to calm myself bottomward when—it hits me! We were speaking with this person… if they’re up, they must’ve noticed this; they ability be sending a affectionate message.”
Laurence and Dillon recalled actuality approached about a ages afore the adventure by a being application the pseudonym “UmbralUpsilon” on Discord. They had contacted them to analyze about specific agreement ambit beneath the pretense of autograph a general-purpose crypto arbitrage bot. Although their questions were cautiously specific and generally extraneous for the accurate purpose of architecture an arbitrage bot, Laurence and Dillon obliged, answered all of the questions, and kept in touch.
Unable to besom off the anticipation and abatement asleep, Laurence opened up his babble with this being and begin that they had deleted their bisected of the conversation. He again messaged Dillon to acquaint him what happened, and Dillon begin the same—the conversations were gone. “Hmm, OK, this isn’t apprehensive at all,” Laurence admits cerebration to himself. He started digging about and bound begin that UmbralUpsilon had afflicted his Discord name to “BogHolder#1688.”
Something didn’t feel right.
Following the Breadcrumbs
The afterward day, on Oct. 15, Indexed Finance got its aboriginal actual lead. Someone from the acute arrangement auditing belvedere Code 423n4 (C4) messaged Indexed on Discord, absolute that BogHolder#1688 was additionally an alive affiliate of their association and a adequately competent “Warden” who ahead had won fourth abode in a coding challenge and accustomed a reward.
The compensation was beatific to an Ethereum address which, aloft added inspection, appear that the annual had fabricated four deposits to Tornado Cash, a decentralized privacy-preserving transaction tumbler. The outputs for the deposits akin the withdrawals of the accomplishment address. “They were all account from the deposits by beneath than an hour,” explained Dillon, abacus that this appealing abundant caked their suspicions that the Discord user BogHolder#1688 was amenable for the attack.
“Now we had the annual that adjourned the accomplishment abode and the Discord username abaft it,” Laurence recalls. After digging through the transaction history, Dillon and his colleagues in the war allowance begin that the annual had links to two centralized exchanges that appropriate commutual KYC procedures, acceptation they could now ability out to them to try to access the attacker’s absolute identity. Upon acumen this, they appear a blog post absolute aggregate they had begin up until that moment and gave BogHolder#1688 an ultimatum: acknowledgment the funds bare a 10% whitehat compensation or face law enforcement.
While apprehension a acknowledgment from the exchanges, Indexed accustomed addition tip on Discord absolute that BogHolder#1688 had registered with Code423n4 application a GitHub annual called “mtheorylord1.” This annual had no antecedent or approaching action on GitHub. However, analytic this username on Google appear addition GitHub account, “mtheorylord,” which in 2016 had fabricated a distinct commit, creating a athenaeum blue-blooded “Grade-12-Project.”
“Notable mathematician”
Inspecting the Git command line, the aggregation was able to acquisition an email associated with the account, which included a area endemic by a aerial academy in Canada. After advertent this email, the aggregation was able to articulation it to a “mtheorylord” Wikipedia account, which, in 2016, edited a Wiki folio about a bold appearance for aerial academy acceptance to accommodate a name (which akin the aforementioned email) with the descriptor, “Notable mathematician.”
From there, afterward the cardboard aisle was easy. They ran a chase on the name and begin a website that adumbrated that it belonged to a Masters’ apprentice of authentic mathematics at the University of Waterloo. After accomplishing a about-face IP chase on that domain, they begin addition website, which led them to an Urbit Discord server frequented by none added than BogHolder#1688. There, BogHolder#1688 had acquaint a articulation to an Urbit Planet NFT they owned. It angry out that the Ethereum address that endemic the badge could calmly be traced aback to an abode associated with the exploit.
At this point, the aggregation had it all: the accomplishment address, the annual that adjourned it with links to centralized exchanges, the attacker’s Discord, GitHub, and StackExchange accounts, their email address, the aerial academy and university they attended, home address, buzz number, and best important of all—his abounding name.
“Doesn’t delay to Tornado, uses the aforementioned username, reveals his email in a GitHub commit… utter, absolute amateur moves,” says Laurence in disbelief. While the accomplishment itself was absolutely impressive, Dillon adds, the hacker had abhorrent OPSEC every footfall of the way. “Posting on Wikipedia bristles years ago application his abounding name to say that he’s a “notable mathematician” is the alone acumen we articular him,” Dillon says.
Everyone in the Indexed Finance war allowance was assertive that they’d baldheaded the appropriate guy. All they had to do was delay for the antagonist to acknowledgment the funds afore the claiming borderline or advance to about dox and address him to the police. The ordeal, however, was far from over; 20 account afore the deadline, one of the DeFi developers that had volunteered to advice the aggregation analyze the hacker begin that one of the attacker’s websites was aback online and adapted to accommodate added claimed information.
Upon quick examination, the aggregation accomplished that the antagonist was alone 18. “This chock-full things asleep in the advance for like, a day-and-a-half. We were about to dox an 18-year-old,” Laurence explains, adage that the anew alike advice aloft austere ethical apropos aural the team.
To Dox or Not to Dox
Doxing and potentially advertisement a jailbait to the badge didn’t sit able-bodied with anybody on the team. Others disagreed. If he is old abundant to abduct $16 actor in an busy acute arrangement exploit, he’s old abundant to face justice, anticipation one allotment of the team. Besides, the jailbait had spent his time afterward the advance taunting them on Twitter, autograph abstruse poems, citation the “code is law” approach in his defense, and claiming that all he did was assassinate a able arbitrage trade.
Others on the aggregation weren’t too convinced, cerebration that conceivably the bearings had gone to his head. Maybe he should be accepted a bit added time to accede the accurate consequence of the bearings he’s in, they thought. After all, if law administration got involved, the abeyant ramifications on the attacker’s activity could be devastating. In a last-ditch accomplishment to accommodate the antagonist a way out, Dillon messaged him on his claimed phone, advertence already afresh that he’s been articular and will be appear to law administration unless he gives the money back.
“LOL, acceptable luck,” responded the attacker, which had the aftereffect of anon catastrophe all centralized debates over the moral and ethical implications. At this point, it was all over. The Indexed Finance aggregation anon appear addition blog post absolute aggregate they knew about the antagonist and gave all the affirmation they had aggregate to a advocate that contacted the police.
“If he had waited a few added hours or canicule to mix the funds on Tornado, we wouldn’t accept known,” achieve Laurence and Dillon, acceptance that the fate of the victim’s funds and the attacker’s activity were now in the easily of law enforcement. “Or if he wasn’t such a arrogant 13-year old.”
Code is Law?
Despite the Indexed team’s response, the perpetrator does not arise to be budging. Several canicule afterwards the incident, he acquaint a a tweet that he was attractive to appoint a aggregation of the “most aristocratic crypto lawyers”—ones accommodating to advance the case to the accomplished levels if bare be.
Based on his tweets, the antagonist believes that he didn’t do annihilation actionable but instead accomplished a able arbitrage trade. Technically, that is correct. This wasn’t a drudge in the authentic faculty of the word, but a circuitous alternation of affairs that “exploited” the operational argumentation of Indexed Finance’s acute arrangement to disproportionately account the attacker. He didn’t technically “steal” the funds—he aloof accomplished a agglomeration of ultra-complex trades to get authority of them.
The opposing altercation that Laurence and the Indexed aggregation accomplish is that arbitrage is declared to accomplish markets—not breach them. To that point, Jason Gottlieb, a advocate apery a cardinal of individuals complex with Indexed, responded to the antagonist on Twitter, adage “Code is not law. Law is law. And what you did was not a “clever trade.” It was bazaar manipulation. It’s illegal. And bodies go to bastille for it.”
“Code is law” is a almost arguable article circulating mostly aural the crypto community. It implies that that acute affairs on blockchains like Ethereum anatomy a new acknowledged arrangement with predefined, self-executing, and self-enforcing acknowledged relationships, the rules and altitude of which cannot be afflicted ex-post facto. In simpler terms, it agency that acute affairs alter acknowledged codes in the agenda branch and are acceptable for authoritative what bodies do online. Thus, the antagonist would argue, if the acute arrangement acceptable the transaction, it’s fair game—the transaction is legal.
Whether this altercation can angle its arena in cloister charcoal to be seen. If the accordant law administration authorities adjudge to accompany this case, and the antagonist uses this apriorism in his defense, it could mark the aboriginal absolute showdown amid “code is law” and—well, the absolute law.
Disclosure: At the time of writing, the columnist of this affection endemic ETH, SUSHI, and several added cryptocurrencies.
