“The default is going to be, ‘Who did this, and why is it the devs?'” Laurence Day says. On October 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens—like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. “If you didn’t know what you were looking at, you might say, ‘Nice-looking trade,’ ” Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn’t have been possible. Something was very wrong.
Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom’s living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. “All I said was, ‘What?’ ” Kellar recalls.
They pulled out their laptops and dug into the platform’s code, with the help of a handful of acquaintances and Day’s cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets.
Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform’s Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed’s hundreds of users and took responsibility for the vulnerability he’d failed to detect. “I f—ed up,” he wrote.
The question now was who’d launched the attack and whether they’d return the funds. Most crypto exploits are assumed to be inside jobs until proven otherwise. “The default is going to be, ‘Who did this, and why is it the devs?’ ” Day says.
As he tried to sleep the morning after the attack, Day realized he hadn’t heard from one particular collaborator. Weeks earlier, a coder going by the username “UmbralUpsilon”—anonymity is standard in crypto communities—had reached out to Day and Kellar on Discord, offering to create a bot that would make their platform more efficient. They agreed and sent over an initial fee. “We were hoping he might be a regular contributor,” Kellar says.
Given the extent of their chats, Day would have expected UmbralUpsilon to offer help or sympathy in the wake of the attack. Instead, nothing. Day pulled up their chat log and found that only his half of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. “That got me out of bed like a shot,” Day says.
He shared his suspicions with the team, who over the next few days combed the attacker’s digital trail. They discovered that the Ethereum wallet used to transfer tokens during the attack was connected to another wallet used to collect winnings in a recent hacking contest by a participant who sometimes identified himself as UmbralUpsilon. Pulling up the participant’s registration, they saw that it linked to a profile on the collaborative coding platform GitHub.
The GitHub profile had been created by someone whose email address began with “amedjedo” and was associated with a domain owned by a public school board in Ontario. Day and his colleagues also found a Wikipedia contributor with a username similar to the one on GitHub. The Wikipedia editor had once altered the page for a popular Canadian quiz competition for high school students, adding a name under “Alumni”: “Andean Medjedovic, notable mathematician.” Google filled in the rest. Medjedovic had until recently been a master’s student at the University of Waterloo in Ontario, specializing in mathematics. His résumé said he had an interest in cryptocurrency.
The team breathed a sigh of relief. Once cyberattackers have been identified, they […]
source The Math Prodigy Whose Hack Upended A Crypto Platform Won’t Return Funds
Protected by Patchstack