Indexed Finance, an Ethereum-based project that suffered a $16 million hack in 2021, has successfully thwarted two hijacking attempts. Control of the project’s decentralized autonomous organization (DAO) will be returned to its founders, who aim to allocate the remaining treasury to victims of the 2021 hack.
In a thread on X (formerly Twitter), Laurence Day, a former core contributor, detailed the efforts of the Indexed community in overcoming two hijacking attempts on the remaining treasury of the Indexed DAO. Both attackers acquired significant amounts of the protocol’s NDX token and aimed to take control of the DAO’s approximately $120,000 in digital asset holdings through malicious proposals.
The initial proposal, lacking a title or description in an apparent effort to avoid detection, was thwarted as Day and fellow community members mobilized the Indexed DAO for votes against it. The attacker’s proposal neared approval within an hour, but sufficient “No” votes were cast to prevent its passage.
Okay so here's what just happened to the Indexed DAO
— laurence, backed by paradigm (@functi0nZer0) November 25, 2023
The wreckage can be seen in the Tally panel below
This is a long thread, but I want to record it somewhere pic.twitter.com/wRTRZZcwhm
However, as the Indexed team had to openly coordinate votes against the proposal, Day anticipated the possibility of a copycat attack. Additionally, as Day detailed in his thread, a further vulnerability could jeopardize funds beyond the DAO’s treasury if it ends up in unfriendly control.
To mitigate the threat of a subsequent attack, the Indexed DAO approved a “poison pill” proposal, granting it the authority to burn the remaining treasury funds if necessary to deter potential attackers.
Related: Azuki DAO rebrands to ‘Bean’ as it drops lawsuit against founder
Upon the anticipated second attack, the assailant initially sought to negotiate for 50% of the remaining treasury, as revealed in on-chain messages. Indexed founder Dillon Kellar responded by proposing $10,000 worth of Dai (DAI) and warned of burning the entire treasury if the attacker refused.
With only four hours left until Kellar’s ultimatum, and following an attempt to counter-negotiate for $17,000, the attacker accepted the original offer and withdrew their malicious proposal. Authority over the DAO will now return to a multisig controlled by Day, Kellar and the pseudonymous co-founder PR0, with plans to compensate victims of the 2021 hack using the remaining treasury funds.
Magazine: Are DAOs overhyped and unworkable? Lessons from the front lines