The Math Prodigy Whose Hack Upended DeFi Won't Give Back His Millions
Friday May 20, 2022. 06:48 PM , from Slashdot
An 18-year-old graduate student exploited a weakness in Indexed Finance's code and opened a legal conundrum that's still rocking the blockchain community. Then he disappeared. An excerpt from a report: On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens -- like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. 'If you didn't know what you were looking at, you might say, 'Nice-looking trade,'' Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn't have been possible. Something was very wrong. Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom's living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. 'All I said was, 'What?'' Kellar recalls.
They pulled out their laptops and dug into the platform's code, with the help of a handful of acquaintances and Day's cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets. Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform's Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed's hundreds of users and took responsibility for the vulnerability he'd failed to detect. 'I f---ed up,' he wrote. The question now was who'd launched the attack and whether they'd return the funds. Most crypto exploits are assumed to be inside jobs until proven otherwise. 'The default is going to be, 'Who did this, and why is it the devs?'' Day says.
As he tried to sleep the morning after the attack, Day realized he hadn't heard from one particular collaborator. Weeks earlier, a coder going by the username 'UmbralUpsilon' -- anonymity is standard in crypto communities -- had reached out to Day and Kellar on Discord, offering to create a bot that would make their platform more efficient. They agreed and sent over an initial fee. 'We were hoping he might be a regular contributor,' Kellar says. Given the extent of their chats, Day would have expected UmbralUpsilon to offer help or sympathy in the wake of the attack. Instead, nothing. Day pulled up their chat log and found that only his half of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. 'That got me out of bed like a shot,' Day says.
Read more of this story at Slashdot.
Jul, Thu 7 - 03:11 CEST