Indexed Finance: Flash Loan — Rebalancing Delay Pool Oracle Manipulation
An attacker used flash loans to manipulate Indexed Finance's pool oracle by 99.97%, tricking the protocol into valuing $100M+ in assets at $300k, then minted inflated index tokens and drained $16M from three pools.
Summary #
Indexed Finance suffered a Index / Passive Portfolio (Balancer BPool fork) on 2021-10-14, resulting in a loss of approximately $16M.
What happened #
An attacker used flash loans to manipulate Indexed Finance's pool oracle by 99.97%, tricking the protocol into valuing $100M+ in assets at $300k, then minted inflated index tokens and drained $16M from three pools.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding hours before; large flash loan origination at attack time]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — pool's internal valuation dropped to ~$300k from $100M+ equivalent; 99.97% distortion]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — flash loans of pool assets used to manipulate reference token balance]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes (Balancer BPool fork with custom rebalancing logic)]