Indexed Finance, an Ethereum-based project that faced a $16 million hack in 2021, has successfully foiled two hijacking attempts on its decentralized autonomous organization (DAO). The project’s founders are set to regain control of the DAO, and their objective is to allocate the remaining treasury to the victims of the 2021 breach.
In a series of posts on X (formerly Twitter), Laurence Day, a former core contributor, elaborated on the efforts of the Indexed community in thwarting two attempts to hijack the remaining treasury of the Indexed DAO. Both attackers managed to accumulate substantial amounts of the protocol’s NDX token and aimed to gain control of the DAO’s approximately $120,000 in digital asset holdings through malicious proposals.
The first proposal, lacking a title or description in an apparent attempt to go unnoticed, was blocked as Day and fellow community members rallied the Indexed DAO for votes against it. Despite the attacker’s proposal coming close to approval within an hour, enough “No” votes were cast to prevent its passage.
However, since the Indexed team had to openly coordinate votes against the proposal, Day foresaw the potential for a copycat attack. Additionally, as highlighted in his thread, a further vulnerability could jeopardize funds beyond the DAO’s treasury if it falls into unfriendly control.
To address the risk of a subsequent attack, the Indexed DAO approved a “poison pill” proposal, empowering it to burn the remaining treasury funds if necessary to deter potential attackers.
In the face of the anticipated second attack, the assailant initially sought to negotiate for 50% of the remaining treasury, as revealed in on-chain messages. Indexed founder Dillon Kellar responded by suggesting $10,000 worth of Dai (DAIUSD) and cautioned about burning the entire treasury if the attacker declined.
With only four hours remaining until Kellar’s ultimatum, and after attempting to counter-negotiate for $17,000, the attacker accepted the original offer and withdrew their malicious proposal. Control over the DAO will now revert to a multisig controlled by Day, Kellar, and the pseudonymous co-founder PR0, with plans to use the remaining treasury funds to compensate victims of the 2021 hack.