Review of the Indexed Finance Hack: Math Whiz Breaches DeFi Platform

Written by: Christopher Beam

Translated by: Translation Guild tanghul, The SeeDAO

It was October 14. The location was a house near Leeds, England. When his phone rang, Lawrence Dai was sitting on the sofa enjoying a dinner of fish and chips. The text was from a colleague at Indexed Finance. This is a cryptocurrency platform used to create tokens that can represent several other currencies, akin to an index fund, but on the blockchain. The colleague sent a screenshot of a recent transaction record, followed by a question mark. "If you didn't understand this stuff, you might say, 'This transaction looks pretty good,'" Dai said. But he was an expert, and the image was enough to raise his alarm: a user was buying large amounts of certain tokens at an extremely low price, which should have been impossible. Something was wrong.

Dai jumped up, spilling food everywhere, and ran into the bedroom to call one of the founders of Indexed, Dylan Keller. Six time zones away, near Austin. Keller was sitting in his mother's living room, disassembling a DVD player in an attempt to rescue a laser head inside. He picked up the phone and heard Dai breathlessly explaining that the platform had been hacked. Keller recalled, "I just said, 'What?'"

Dai, Photographer: Bloomberg Businessweek Joanne Coates

They pulled out their laptops and dove into the platform's code. A few familiar friends also came to help, and Dai's cat, Finny (named after Bitcoin pioneer Hal Finney), climbed onto his shoulder in support. Indexed was built on Ethereum, a public ledger that records transaction details, meaning the attack records were also on it. It would take weeks to accurately figure out what had happened, but it was clear that the platform had been played, resulting in the tokens held by users being severely undervalued and sold to the attackers at a steep discount. In total, the perpetrators made off with $16 million worth of assets.

Keller and Dai stopped the bleeding, fixed the code to prevent further attacks, and then began to face a public relations nightmare. In the platform's Discord and Telegram channels, token holders were speculating wildly and hurling insults, some blaming the team and demanding compensation. Keller apologized on Twitter to the hundreds of users of Indexed, taking responsibility for failing to spot the vulnerability. He wrote, "I messed up."

Now the question was who had launched the attack and whether they would return the funds. In most cases, attacks exploiting vulnerabilities in crypto platforms are believed to be internal unless proven otherwise. "By default, people always ask, 'Who did it? Why would the development team do this?'" Dai said.

The morning after the attack, Dai was trying to get some sleep when he suddenly realized that a contributor had been silent for a while. A few weeks earlier, a programmer with the username UmbralUpsilon (anonymity is standard practice in the crypto community) had contacted Dai and Keller on Discord, saying he wanted to create a bot to make the platform more efficient. They agreed and sent him a startup fee. Keller said, "At the time, we hoped he might become a regular contributor."

Given the scope of their discussions, Dai thought that after the attack, UmbralUpsilon would help them out or at least express sympathy. However, nothing came. Dai pulled up their chat history and found that only his part of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. "That made me jump out of bed," Dai said.

He shared his suspicions with the team. Over the next few days, they scoured the internet for digital traces of the attacker. They discovered that the Ethereum wallet used to transfer the tokens in the attack was linked to a wallet used by a participant in a recent hacking competition to collect a prize, and this participant sometimes referred to himself as UmbralUpsilon. They pulled up this person's registration information and saw it linked to a personal profile on the collaborative coding platform GitHub.

The person who created this GitHub profile used an email address starting with "amedjedo," the domain of which belonged to a public school board in Ontario. Dai and his colleagues also found that the username of a Wikipedia editor was very similar to this person’s on GitHub. This editor had modified the page of a popular high school intelligence competition in Canada, adding a name in the "Alumni" section: "Andean Medjedovic, renowned mathematician." The rest of the work was left to Google. Until recently, Medjedovic was a master's student at the University of Waterloo in Ontario, studying mathematics. His resume showed an interest in cryptocurrency.

The whole team breathed a sigh of relief. Typically, once the identity of a cyber attacker is confirmed, they will return the funds in exchange for a face-saving bounty and gain the title of "white hat hacker." Dai contacted UmbralUpsilon, offering a 10% reward if he safely returned the tokens. Dai also begrudgingly praised him with a "well done," but he received no reply. Then Keller tried another strategy; he messaged Medjedovic directly, calling him "Andean." This time, Medjedovic responded. He publicly mocked Indexed's users on Twitter: "You were scammed by off-exchange trading. You can do nothing about it… this is cryptocurrency." Another team member emailed Medjedovic separately, saying they would pay him $50,000 if he returned the tokens. Medjedovic replied with an Ethereum address link and a message: "Send the money." They did not fall for it. Shockingly, they discovered that this tormentor was only 18 years old.

Finally, before having to involve lawyers and police, Keller sent Medjedovic a text for one last plea. He wrote, "I beg you to give up now and make it easier on yourself." The teenager's reply was "Xdxdxd" (an expression of laughter), along with, "Good luck."

Keller, Photographer: Bloomberg Businessweek Cindy Elizabeth

When they initially created Indexed, Keller and his co-founder envisioned it as a step forward for DeFi. The blockchain-based DeFi movement (decentralized finance) aims to provide a more automated and less intermediary-dependent way of lending, trading assets, and managing portfolios. Some supporters hold a pragmatic view of DeFi, seeing it as an improvement over traditional finance, eliminating fee-extracting intermediaries and slow human decision-making. Others are more libertarian, viewing DeFi as a paradise outside the existing system, a channel to evade rules and restrictions imposed by governments or large corporations. There are also skeptics who believe it is all a scam.

Keller, who describes himself as "very progressive," is firmly in the pragmatic camp. At 23, he felt that his computer science courses taught him nothing new, so he dropped out of the University of Texas at Dallas. Keller then founded the Indexed platform to solve a problem: what if someone wanted to trade cryptocurrency but found managing a portfolio every day too cumbersome?

In traditional finance, if an investor wants to balance a portfolio of multiple stocks, they can buy an index fund to hand over the daily buying and selling of stocks to a portfolio manager. Keller set out to create a similar mechanism on the blockchain, but driven by algorithms. Index fund managers maintain a portfolio composed of underlying assets of index stocks, while Indexed's algorithm maintains a "pool of assets" for each index token composed of underlying tokens. Users can inject one or all of the underlying assets into the pool in exchange for an index token—this process is called "minting." Similarly, users can "burn" the index token by injecting it into the pool to receive one or all of the underlying assets. Additionally, like exchange-traded funds (ETFs), users can buy and sell index tokens on decentralized exchanges like Uniswap.

Index funds come in various forms, each using different investment strategies. Some indices are market-cap weighted, like the S&P 500: if the price of a stock within the index rises, that stock's value in the portfolio proportionally increases. Other index funds seek to maintain fixed proportions among the stocks. For example, if you want Microsoft's stock to always represent 20% of the portfolio, when Microsoft's stock price rises, the portfolio manager will sell some to maintain its 20% weight.

Keller and his team modeled Indexed after these types of funds, using a mechanism called "automated market maker (AMM)" to maintain the balance of underlying assets, which many DeFi platforms do. Unlike traditional market makers, AMMs do not buy and sell assets themselves. Instead, they incentivize traders to buy tokens from the pool or sell tokens into the pool by adjusting the "pool price" of internal tokens, helping the asset pool achieve the desired asset balance. When the pool needs more of a certain token, its "pool price" rises; when the demand for a certain token decreases, its "pool price" falls. This model assumes that users will rationally interact with the protocol, buying low and selling high.

By eliminating human managers, Indexed was able to avoid management fees. In contrast, users of Indexed's fierce competitor, Index Coop, must pay a 0.95% management fee just to hold its most popular index token. (Indexed charges fees for burning tokens and swapping assets in the pool, but these only affect a small portion of users.) Indexed also saves costs by limiting the number of interactions between the platform and external entities. For example, when Indexed needs to calculate the total value of all assets in a pool, it sometimes infers it based on the weight and value of the token with the highest weight in the pool (called the "benchmark token") rather than checking the price of each token on exchanges like Uniswap. This way, Indexed reduces the transaction fees paid on Ethereum. Keller views "complete passivity" as a "natural extension of how index funds currently operate."

But "passivity" also brings risks. If there are issues with the code, someone can exploit it directly without needing to bypass any human protections. The practice of limiting blockchain interactions to reduce costs requires trade-offs: the fewer steps in a smart contract (a program script that executes automatically when certain conditions are met), the more room there is for security vulnerabilities. The list of cryptocurrency platforms that have been attacked is long and growing weekly: Poly Network, Wormhole, Cream Finance, Rari Capital… Dai said, "There's an old saying in DeFi: there are two types of DeFi protocols: those that have been hacked and those that will be hacked."

Keller had long recognized a potential attack vector: the mechanism Indexed used to import tokens into the asset pool. When such an "index reconstruction" occurs—say, when the market value of one token exceeds another, making it eligible to be included in a blue-chip fund—the asset pool sets the initial price of this new token using a complex equation. One variable in that equation is the value of the benchmark token. If you can somehow mess with the pricing of the benchmark token within the asset pool, you could theoretically force the asset pool to misprice other tokens.

Keller said, "I spent at least two weeks studying this issue." But he couldn't find any errors. The two security researchers he hired to check the code also found no errors. So he said, "I concluded it wasn't an attack vector." However, Indexed still posted a warning on its website: "We are confident in the security of our contracts… (but) we cannot be absolutely certain that there are no overlooked errors."

The platform debuted in December 2020, initially offering two index tokens: CC10 and DEFI5. CC10 represents the 10 highest market cap tokens on Ethereum, while DEFI5 represents the 5 highest market cap DeFi tokens. The project quickly gained a small group of loyal fans, including Dai. Dai holds a PhD in theoretical computer science and a master's in financial engineering, and his master's thesis was about optimizing stock market index portfolios. Indexed aligned with his interests and matched his relatively low risk tolerance. He said, "When it comes to investments outside of cryptocurrency, I'm completely boring."

Dai and Keller got along well. They both had a quirky sense of humor, with one being a talented writer and financial expert and the other a creative programmer, their skills complementing each other. "I'm completely a humanities person, while Dylan is a classic STEM guy," said Dai, now 33. In April 2021, Dai quit his job at an oil and gas company and joined Indexed full-time.

That year, interest in cryptocurrency surged. Fueled by this momentum, Indexed skyrocketed, quickly becoming the second-largest index protocol by market cap on Ethereum, behind Index Coop. They raised their ambitions, launched index tokens, and planned upgrades to allow assets in the pool to earn interest. The DeFi platform Balancer, which deployed Indexed's code, was also encouraged and provided them with funding—a vote of confidence in Indexed's future.

When Indexed launched, Medjedovic, who went by the nickname Andy, had just begun his master's degree. He planned to complete it in a year. He was always quick to get things done, having started taking 10th-grade math classes in elementary school, graduating high school at 14, and completing his undergraduate studies at the University of Waterloo in three years. The University of Waterloo is one of Canada's top schools for mathematics and computer science and the alma mater of Ethereum co-founder Vitalik Buterin. By the fall of 2021, Medjedovic had submitted his master's thesis on random matrix theory and planned to apply for a PhD. University of Waterloo mathematics professor David Jao said, "I can't think of any other student who could have gotten that degree so early."

Despite being academically advanced, Medjedovic's social maturity lagged behind. A former classmate, who requested anonymity to speak candidly about sensitive issues, recalled that he was "confident to the point of arrogance," openly looking down on students he deemed less intelligent. This classmate also said, "No matter what he did or said, he believed it was never wrong, it was absolute truth." Medjedovic was reportedly flirting with some extremist ideologies: this classmate had heard him express admiration for white supremacy and eugenics (Medjedovic did not respond to requests for comment on this before publication).

Nevertheless, Medjedovic made some friends and stayed in touch with them through activities like chess and the video game League of Legends. He also enjoyed reading novels, especially science fiction. In a social media profile, he quoted several passages from Kurt Vonnegut's Cat's Cradle, expressing the futility of humanity's quest for knowledge: "Tigers hunt, birds fly, people sit down and think, think, think; tigers sleep, birds return home, and people tell themselves that all of this belongs to them."

Medjedovic also gradually became a skilled programmer, frequently participating in an online hacking competition called Code4rena (C4). In this competition, companies offer bounties for developers to find security vulnerabilities in their systems. He had won prizes in the competition twice. "He seemed friendly and cool," said Adam Avenir, who helped run C4 and had communicated with Medjedovic both before and after the attack on Indexed, "like a serious kid."

Medjedovic was interested in DeFi, especially the AMM mechanism. In an email, he said, "Whenever I hear about a new type of DeFi product, I carefully study how it works. If I come up with a good idea, I'll invest some money." (Medjedovic declined to participate in a phone interview but agreed to answer some questions via email.) He estimated that he spent hundreds of hours "playing with the math behind these DeFi products, experimenting with the profitability of different strategies." Then, he wrote bots that could execute arbitrage trades on these platforms, earning small profits and helping the asset pools operate more efficiently.

After seeing Indexed on a forum, he carefully studied its smart contracts and noticed an "opportunity for mispricing" in Indexed's code—precisely the kind of means Keller had worried about, which could distort the internal price calculations of the asset pool when introducing new tokens. He also found that it was possible to bypass protections limiting the size of certain trades within the pool. He said, "At first, I didn't believe it," he did a few calculations, "and theoretically it was feasible." Over the next month, he wrote a script that could exploit this vulnerability.

He also contacted the Indexed team on Discord under the name UmbralUpsilon, asking some basic questions about asset composition and pricing, and offered to write an arbitrage bot for the platform. In hindsight, Dai said, "I suspect he might have been trying to probe to see if I could open a gap for him." Keller and Dai said the information they shared at the time was not exploited in this attack.

Ultimately, in mid-October, Medjedovic was ready with the code he intended to deploy. Equally important, the timing was ripe for "index reconstruction" of the two largest asset pools in Indexed. They only needed a user to introduce a small amount of new tokens—specifically, both pools needed Sushi, the token of the DeFi exchange SushiSwap.

Exploiting this vulnerability required writing hundreds of lines of code, which the court later used dozens of pages to explain. But the process included several key steps. To attack the token pool that makes up the DEFI5 index (and later the CC10 pool), Medjedovic wrote a program and obtained a "flash loan" worth $157 million—a mechanism in cryptocurrency trading that allows users to borrow funds as long as they repay the loan within the same set of pre-programmed transactions. Then, his script used a large portion of the loan to buy almost all the UNI (the token of the DeFi exchange Uniswap) in the pool. The sudden shortage of UNI caused the price of UNI in the pool to skyrocket, as the algorithm tried to incentivize traders to sell more UNI back into the pool and stop buying UNI from the pool to restore the original balance. The more UNI Medjedovic bought, the higher the price of UNI in the pool rose, eventually reaching 860 times the external market price. He spent a total of $109 million worth of tokens to buy UNI that was actually worth $5.2 million.

Attack on DEFI5: 1 Program and 7 Key Steps (Excerpt)

On the surface, this was a crazy transaction, but UNI played a unique role in the DEFI5 asset pool. UNI was the benchmark token—the pool used it to infer its total value. As the amount of UNI in the pool sharply decreased, the asset pool's self-valuation now equated to only 1/380 of its actual value. Consequently, the amount of new Sushi needed also plummeted, which was essential for minting DEFI5 tokens. At this point, if Medjedovic wanted, he could exchange $3,200 worth of Sushi tokens for $1.172 million worth of DEFI5 tokens. And if he had simply done that, Indexed wouldn't have had any issues. The Indexed protocol limited the number of new tokens users could exchange into the pool, so he could only extract about 1.5% of the pool's value—which, considering transaction fees, wasn't profitable for him.

Instead, Medjedovic's script obtained another flash loan—this time worth $2.4 million in Sushi tokens. He didn't swap these tokens into the asset pool; instead, he gifted them to the asset pool—an action that seemed illogical but was something Indexed's algorithm had not accounted for in its design. This "gift" crippled the asset pool, bypassing its usual trading limits on new tokens. It allowed Medjedovic to freely exchange the overvalued Sushi tokens for undervalued DEFI5 tokens, which he then cashed out for the underlying assets in the pool, repaying the loan, with the remainder landing in his pocket, now worth $11.9 million. The attack on the CC10 fund pool further increased the total value to $16 million.

Medjedovic recalled in an email that he was surprised by the success of the attack. He wrote, "I only made a few attempts and got it done," and soon he ran out of money to pay for blockchain transaction fees.

"Absolutely impressive," Keller said, "but his talent was misapplied."

If Medjedovic ever considered returning the tokens, he didn't think about it for long. After the Indexed team confirmed his identity, he posted a provocative poem on Twitter: "A frog leaps into the pool, coolness relies on skill. | To cook the frog, they try with all their will. 'Don't arbitrage that money,' they cry to the sky. | But the frog is happy, for the divine is nearby." Some commented to incite him. One posted a crown emoji. Another wrote, "I love this guy."

Some used racist language and rhetoric to harshly criticize him: the Ethereum address Medjedovic used for the attack included the number "1488" (an abbreviation for a neo-Nazi slogan), and he wrote the derogatory term for Black people 16 times in the code. One Twitter user referred to him as "the Dylan [sic] Roof of the Balancer asset pool," referencing the shooter who killed nine Black people in a church in Charleston, South Carolina, in 2015. Medjedovic liked that tweet.

The weeks following the attack were hell for Keller and Dai. They were busy rebuilding the protocol, dealing with online scrutiny, and designing a compensation plan for their token holders. To make matters worse, Dai's cat Finny also met a tragic fate; it was killed by a car.

On December 9, nearly two months after the attack, Keller and Dai filed a lawsuit against Medjedovic in Ontario. They claimed his actions constituted fraud and that he should return the tokens to their original owners. They were not the first to do so. An anonymous company registered in Delaware, Cicada 137 LLC, had previously sued Medjedovic, but that case had been sealed. Keller and Dai only learned of this after submitting their own lawsuit. According to its lawsuit, Cicada 137 was the largest holder of tokens lost in the hack, with the total value of the tokens involved reaching $9 million at the time. (Cicada 137's lawyer, Benjamin Bathgate, declined to disclose the identity of the client.)

When Keller and Dai filed their lawsuit, Cicada had already obtained a freezing order for the disputed tokens. The court could not directly control Medjedovic's wallet, but if he used those tokens now, he would be breaking the law. Cicada also obtained a search warrant for Medjedovic's parents' house, where he had been living. But when the court executed the search on December 6, he had already left with his computer equipment. His parents and brother claimed they did not know where he was.

Keller and Dai's lawyers argued in the lawsuit that two specific steps in the attack violated market manipulation and computer hacking regulations. One was buying almost all the UNI tokens in the DEFI5 pool, a seemingly irrational transaction that could be rationalized as distorting pricing, forcing Indexed users to sell their tokens, allowing Medjedovic to buy in at a low price. "The sole purpose of this transaction was to mislead token holders into selling their tokens under conditions they would never agree to," said Stephen Aylward, the lawyer representing Keller and Dai, "we believe this is market manipulation." The same argument applied to Medjedovic's actions concerning the CC10 asset pool.

Another illegal step was Medjedovic's act of gifting Sushi to cripple the asset pool, deceiving the algorithm and allowing him to bypass size restrictions on certain trades. Aylward called this "Andean's deliberate act to disable security measures, akin to breaching a bank's security system." He argued that this behavior fits Canada's "extremely broad" legal definition of hacking, which can be interpreted as "subverting the intended purpose of a computer system."

Medjedovic has not formally responded to either lawsuit; he told me he doesn't even have a lawyer in Ontario. But in our email exchanges, he claimed that he executed a series of completely legal transactions. "Everything I did did not involve entering a system I was not allowed to enter," he said. "I did not steal anyone's private keys. My interactions with the smart contracts complied with the publicly stated rules of those smart contracts. The ones who lost internet tokens in this transaction were those trying to profit from the smart contracts, and those people clearly did not fully understand the risks of holding those trading positions." Medjedovic added that he took "huge risks" in executing this strategy. If it failed, he would lose "a significant portion of my portfolio." (He could have lost about 3 ETH in transaction fees, worth around $11,000 at the time.)

This case raises some tricky questions about "what interactions between humans and blockchain code are legally permissible." For example, the plaintiffs claim that Medjedovic's actions in manipulating the value of tokens within the asset pool amounted to making "false representations." But who made the false representation, Medjedovic or the algorithm? Barry Sookman, a lawyer specializing in information technology in Toronto, said there is no essential difference: "Individuals are responsible for the technological activities under their control."

If Medjedovic participated in deception, who did he deceive? Based on this point, Andrew Lin, a Dallas lawyer who provided consulting to Medjedovic but did not formally participate in the Ontario case, rejected the notion of false representation. Andrew Lin said, "It's hard to say who he made false representations to; he wrote a few lines of code. The code itself is not inherently right or wrong."

Andrea Matwyshyn, a researcher in cybersecurity, said that without understanding all the facts that might emerge during the investigation of the case, it's impossible to predict how a judge will rule. He is a professor of law and engineering at Penn State University. But this case is extremely unclear, especially considering Medjedovic's claims about taking risks. "Once Wall Street people discover a loophole, they will conduct strategic research and often make a lot of money in one go," Matwyshyn said, "I can imagine that after investigating the technical and financial details of this case and weighing various factors, the judge might conclude that some factors make this behavior more like highly speculative trading."

The legal and regulatory gray area surrounding DeFi also adds uncertainty. Anyone with technical expertise can create an investment tool, put it online, and expose users to risks that could be attacked. SEC Chairman Gary Gensler has stated that he plans to regulate cryptocurrency trading platforms. Former Commodity Futures Trading Commission commissioner and current SEC General Counsel Dan Berkovitz described DeFi as a "Hobbesian market," whose products violate commodity trading regulations. In March, the White House issued an executive order calling for regulations to "mitigate the risks that digital assets may pose to consumers, investors, and businesses."

Ryan Clements, a law professor at the University of Calgary, said these proposed regulations might not prevent attacks like the one on Indexed but could lower or at least alert traders to potential dangers. For example, regulations could require that products undergo "code audits" by qualified entities before launch and mandate real-name registration. However, Clements said this would pose a challenge for enforcement. Governments cannot "block" decentralized platforms like they would regular websites because they operate on globally distributed blockchains. Moreover, even if the government could block them, mimicking platforms could emerge.

DeFi purists are more inclined to keep the government away from their platforms. Chris Blec, head of the regulatory site DeFi Watch, stated on Twitter that the attack on Indexed was "an embarrassment for DeFi," criticizing the team for seeking help from centralized institutions like the courts. Keller said he had no other choice—DeFi has no judicial system of its own. Regardless, he believes DeFi should operate within the existing legal framework. "I think DeFi should be decentralized in governance and project management," he said, "but there needs to be a central authority to enforce some basic rules."

A week after Keller and Dai filed their lawsuit, Medjedovic attended a virtual hearing held on Zoom. He turned off his camera and remained silent. The judge ordered him to either transfer the disputed assets in the case to a neutral third party or appear in person the following week. When the deadline arrived, Medjedovic still had not transferred the tokens or appeared in court. The judge issued a warrant for his arrest.

Unless authorities can find Medjedovic or he decides to appear in court, this case will remain unresolved. In non-cryptocurrency cases, if the plaintiff obtains a default judgment, the court can simply order the defendant's bank to freeze their accounts or hand over their assets. But due to the nature of crypto wallets, which can only be accessed with private keys, without Medjedovic's cooperation, authorities cannot obtain the tokens. I asked him if he had spent any of the proceeds from the attack, and he said, "I don't believe in spending money." Recently, someone did move tokens worth nearly $400,000 from the wallet used in the Indexed attack to what appears to be a mixer, making the tokens' whereabouts untraceable. This suggests that Medjedovic may be using some of those funds.

Almost everyone I spoke with hopes he will show up, so that even if they can't get their money back, at least the court can resolve the tricky legal issues involved in the case. Cicada 137's lawyer Bathgate said there is "ample reason to believe" that Medjedovic has fled abroad. Law enforcement in Ontario has stated that they are not actively pursuing him, and both the Royal Canadian Mounted Police and the FBI declined to comment. But hiding won't solve his legal problems. The judge presiding over the case, Frederick Myers, wrote, "I can assure Andean Medjedovic that lawsuits do not age like fine wine; they do not get better with time."

To put it nicely, Medjedovic seems uninterested in public sympathy. In his emails to me, he was sometimes candid and sometimes provocatively combative. When I asked him if someone was advising him behind the scenes, he took the latter approach: "From start to finish, I was in private contact with my mentor Peter Thiel. He encouraged me to do this!" (A representative for Thiel declined to comment.) In other responses, he mentioned "ancestor simulations," "hiding diamonds in outer space," and a United Nations project to "sneak into people's homes through the chimney and leave a copy of Thucydides under their pillows." Whether he genuinely believes these things is almost bizarre, even by internet meme standards.

Regarding his future, Medjedovic is indifferent, saying, "I don't care about 'finding a job' or anything like that. Wagging my tail in a cage is not my idea of a good life." He does not rule out the possibility of creating his own product: "If I come up with a necessary and useful technology, of course, I would develop it. So far, I haven't had any epiphanies in that regard."

Meanwhile, the Indexed team continues to move forward. In January of this year, Indexed launched an index token, but since then, the platform's total value has further declined with the downturn in the entire DeFi space. Their planned upgrades have also been put on hold. Keller said, "After all this happened, neither of us has the motivation to continue with this project like we used to." Dai added, "Most people realize that Indexed is struggling to get back on track."

On the bright side, Dai has a new cat—Katniss. And although the attack and its aftermath have been painful, it has also drawn attention. Both Keller and Dai have received job offers in the DeFi space. Dai is also applying to law school. He said, "There aren't many people who can bridge the gap between technology and legal frameworks; I think I can do it myself."

In February of this year, while Medjedovic was still in hiding, Keller and Dai flew to attend the Ethereum Denver conference. There, they attended various parties and panels, meeting some developers. But most of the time, they were just talking to each other. It was their first time meeting in person at an offline event, and there was so much to discuss. To commemorate the moment, Dai took a selfie of the two of them. In the photo, Dai is grinning widely, while Keller looks bewildered. Dai plans to post the photo on Twitter with the caption: "STEM guy squad makes its debut."