Indexed Finance Rebalancing Exploit

On October 14, 2021 at 18:37 UTC, the index-pool protocol Indexed Finance was exploited for approximately $16 million — drained from its two largest indexes, DEFI5 and CC10. The attacker, later identified as 18-year-old Canadian mathematician Andean Medjedovic, became one of the most famous "code is law" defendants in crypto's history.

What happened

Indexed Finance let users buy exposure to baskets of DeFi tokens through index pools — DEFI5 (5 major DeFi assets) and CC10 (10 large-cap crypto assets). The pools rebalanced their internal weights based on current pool composition read directly during rebalancing calls.

The attacker realised that flash-loaning large amounts of a single underlying token into the pool would shift the pool's internal accounting in ways the rebalancing logic interpreted incorrectly — undervaluing the pool's effective TVL relative to its index-token supply, and letting the attacker mint vastly more index tokens than the deposit's true worth.

The attack:

1. Flash-borrowed UNI from Aave and other sources.
2. Pumped the borrowed UNI into DEFI5 and CC10 in exchange for index tokens.
3. The rebalancing logic, fed manipulated internal balances, calculated the pool's value much lower than it should have been — letting the attacker mint many more index tokens per dollar of UNI than the formula intended.
4. Burned the freshly-minted index tokens to redeem the underlying basket — receiving far more value out than the value of the UNI deposited in.
5. Repaid the flash loan and walked.

Stolen assets across DEFI5 and CC10: 15 ETH, 226.9K UNI, 7.5K AAVE, 6.4K COMP, 845.8K CRV, 516 MKR, 45.4K SNX, 33.2K LINK, 5.2K YFI, 17.8K UMA, 131.6K BAT — about $16M total. NDX (Indexed's governance token) fell 27% intraday.

Aftermath

• Indexed Finance paused pool operations and published a detailed post-mortem.
• The team identified the attacker within days — on-chain forensics traced the funds and KYC'd accounts; the team publicly named Andean Medjedovic, an 18-year-old Canadian.
• Medjedovic refused to return the funds and publicly took a "code is law" position — arguing that exploiting smart contracts working as designed should not be illegal.
• Indexed Finance pursued civil action in Canadian courts; Medjedovic became a recurring "code is law" symbol in the DeFi community for several years.
• Medjedovic was later indicted in the US for the KyberSwap exploit in November 2023, which used a structurally similar precision-error attack pattern.

Why it matters

Indexed Finance was the most prominent "code is law" test case of its era. The legal question — whether exploiting an unintended-but-real consequence of smart-contract logic constitutes a crime — has been progressively narrowed by subsequent rulings. The Mango Markets case in 2025 saw a federal judge overturn Avraham Eisenberg's convictions on similar grounds; the same legal theory underlies Medjedovic's defence in both the Indexed and KyberSwap cases.

The structural lesson on the technical side — that index-pool rebalancing calculations are oracle-like reads of manipulable state, and need flash-loan-resistant protections — was learned by index protocols that came after. The category of "auto-rebalancing index funds with internal price reads" is now dominated by designs that either use external oracle anchors or enforce minimum holding periods to defeat single-block manipulation.