By: Eva Baxter
Ethereum-based DeFi project, Indexed Finance recently triumphed over not one, but two hijack attempts aimed at the project DAO's treasury. Laurence Day, a former executive of Indexed Finance, detailed these incidents in a thread, revealing them as targeted attacks toward the project's DAO treasury, valued currently at around the $120,000 mark.
Both attackers acquired a significant quantity of Indexed's native tokens - NDX, and aimed at gaining control over the protocol's treasury using malicious proposals. The first of these, labeled as Proposal 24, lacked a heading or description, making it almost invisible and almost succeeded in getting the necessary approval within an hour.
However, once discovered, an effort led by Day and supported by the community mobilized individuals to cast their votes against the proposal which effectively mitigated the first hijack attempt. Following the public attention brought on by the incident, a second similar attack was anticipated, leading the DAO to take pre-emptive measures.
A second proposal, called the 'Poison Pill' was passed which gave the DAO the authority to burn the assets in the treasury if the situation required such drastic measures. As anticipated, a second attacker appeared and successfully passed a proposal, labeled as Proposal 27. However, before it could be executed after the mandatory 48-hour queue period, the attacker decided to negotiate with the DAO, proposing to cancel the Poison Pill proposals for a 50% bounty from the fund.
Amid these negotiations, Indexed's co-founder Dillon Kellar offered $10,000 DAI in exchange for the cancellation of Proposal 27, threatening to burn the entire treasury otherwise. With only 4 hours remaining for the Poison Pill proposal to be executed, the attacker accepted Kellar's proposal, marking the successful prevention of the second hijack attempt.
With these series of events now in the past, control over the treasury has now been handed over to three individuals including Laurence Day, Dillon Kellar, and a pseudonymous individual known as PR0. The control will be exercised using a 2-of-3 multi-sig arrangement.