Blackmail was all that stood between the remaining funds in Indexed Finance’s crypto treasury and a devastating governance token attack.
When a watcher of the neglected Indexed Finance DAO noticed a malicious proposal meant to drain the DAO’s remaining $90,000, they demanded a share of the proposer’s profits to avoid outing the exploiter.
The proposer apparently declined, leading the blackmailer to alert former Indexed contributor Laurence Day, who then told his 30,000 followers on social media platform X of the attack.
Hours later, the governance proposal was narrowly defeated.
Indexed Finance launched in 2020 as an index fund for crypto but has seen activity mostly end in the time since a 2021 flash loan attack drained $15.8 million from the DAO’s coffers.
Since the attack, Day and developer Dillon Kellar stopped working on the protocol, and before last week, Indexed governance hadn’t seen a vote since mid-2022 when the treasury was recouping investor losses and funding a class-action lawsuit.
But in DeFi, protocols remain operational regardless of whether users exist. And as Indexed’s NDX governance token slid to a fraction of a cent, someone spied an opportunity.
400,000 NDX ($4,000 at the time) was needed to reach a governance quorum and pass a proposal. The exploiter made a nameless proposal with a two-day voting window containing code to drain Indexed’s depleted-but-still-existent treasury — containing some $92,000, per DeepDAO.
With the required NDX, the exploiter reached a quorum of votes in favor.
In the proposal’s waning hours, Day, the former Indexed contributor, learned of the exploit and made a plea to his followers on X.
“In keeping with the principle of ‘no, you shouldn’t get to raid the protocols of inactively developed projects for profit by leveraging governance’, I’d appreciate it if anyone who still happens to hold NDX that is delegated to themselves or another wallet they control to vote Against,” Day wrote.
“Against” votes flowed in and the proposal was defeated by a margin of about $90 in NDX.
Day alleges the person who tipped him off to the attack had first blackmailed the exploiter asking for 40% of the funds. On-chain sleuth ZachXBT linked the wallet address of the attempted exploit to a second attack on an inactive crypto project earlier this month.
Attacks on the treasuries of decrepit DAOs are becoming more common as failed projects accumulate but immutable code keeps funds sitting on-chain. A Solana-based DAO was exploited for $230,000 last month when a malicious proposal went unnoticed.
“The unintended side effect of having code governed by token holders that executes forever is that there [are] typically no plans for end of life,” Jeremiah Smith, CEO of DeFi security service OpenCover, said in a Telegram message. “The ‘space trash’ problem of onchain applications has only begun.”
Don’t miss the next big story – join our free daily newsletter.