In a thread on X, Laurence Day, a former core contributor, detailed the efforts of the Indexed community in overcoming two hijacking attempts on the remaining treasury of the Indexed DAO.
Indexed Finance, an Ethereum-based project that suffered a $16 million hack in 2021, has successfully thwarted two hijacking attempts. The project’s decentralized autonomous organization (DAO) control will be returned to its founders, aiming to allocate the remaining treasury to victims of the 2021 hack.
In a thread on X, Laurence Day, a former core contributor, detailed the efforts of the Indexed community in overcoming two hijacking attempts on the remaining treasury of the Indexed DAO. Both attackers acquired significant amounts of the protocol’s NDX token, aiming to take control of the DAO’s approximately $120,000 digital asset holdings through malicious proposals.
The initial proposal, lacking a title or description in an apparent effort to avoid detection, was thwarted as Day and fellow community members mobilized the Indexed DAO for votes against it. The attacker’s proposal neared approval within an hour, but sufficient ‘no’ votes were cast to prevent its passage.
Okay so here’s what just happened to the Indexed DAO
The wreckage can be seen in the Tally panel below
This is a long thread, but I want to record it somewhere pic.twitter.com/wRTRZZcwhm
— laurence, backed by paradigm (@functi0nZer0) November 25, 2023
Nonetheless, as the Indexed team had to openly coordinate votes against the proposal, Day anticipated the possibility of a copycat attack. Additionally, as Day detailed in his thread, an additional vulnerability could jeopardize funds beyond the DAO’s treasury if the DAO ends up in unfriendly control.
To mitigate the threat of a subsequent attack, the Indexed DAO approved a ‘poison pill’ proposal, granting them the authority to burn the remaining treasury funds if deemed necessary to deter potential attackers.
Upon the anticipated second attack, the assailant initially sought to negotiate for 50% of the remaining treasury, as revealed in on-chain messages. Indexed founder Dillon Kellar responded by proposing $10,000 in DAI stablecoins which is issued by MakerDAO and warned of burning the entire treasury if the attacker refused.
With only four hours left until Kellar’s ultimatum, and following an attempt to counter-negotiate for $17,000, the attacker accepted the original offer and withdrew their malicious proposal. Authority over the DAO will now return to a multisig controlled by Day, Kellar, and the pseudonymous co-founder PR0, with plans to compensate victims of the 2021 hack using the remaining treasury funds.