Promises and pitfalls

Amid the current enthusiasm for all things crypto, interest in decentralized finance (DeFi) has exploded. Proponents think it will help democratize finance. But fraud is running rampant in this corner of the market. Here’s how it works and why fraud examiners should be paying attention.

On Oct. 14, 2021, Andean Medjedovic, a teenage math whiz studying at the University of Waterloo in Canada, exploited a flaw in the coding of Indexed Finance, a decentralized application for passive portfolio investments. In the process he lifted close to $16 million in token assets, shocking the founders of the startup and setting the stage for a legal fight over what constitutes fraud and the reach of law enforcement in the digital asset world.

In a complex twist on what’s known as a flash-loan attack, Medjedovic exploited a particular function related to how new assets are introduced to tokenized portfolios, or pools, to distort the price difference between the value of two crypto indices and their underlying net asset values (NAVs). He used a $159 million short-term, collateral-free loan (the flash loan) to sink the value of a pool of assets, which the company alleges he bought at “a tiny fraction of their true value,” and cashed out for a cool $15.8 million. To hide his tracks, Medjedovic ran the token assets he used to pay for the transaction through Tornado Cash, a so-called obfuscator that can allow users to hide their digital trail, according to court documents. [See “ Dillon Kellar and Laurence Day (Plaintiffs) and Andean Medjedovic (Defendant)," Ontario Superior Court, Dec. 17, 2021, and “Teenage Suspect in $16M DeFi Hack Wanted for Arrest in Canada,” by Andrew Thurman, yahoo!, Dec. 22, 2021.]

That wasn’t enough to evade detection, however. Indexed Finance’s co-founder Dillon Kellar and his team soon identified the culprit, who to their amazement was an 18-year-old student living with his parents. Sensitive to the young age of Medjedovic, Kellar reportedly messaged him to say that they knew he was the attacker and would report him to law enforcement if he failed to return the money. But Medjedovic balked at the suggestion, and Indexed Finance told the police. (See “Inside the War Room: How Indexed Finance Traced Its $16M Hacker,” by Stefan Stankovic, Crypto Briefing, Nov. 3, 2021.)

This has set the stage for an interesting legal test case. (See sidebar “Code is law, or is it?”) But it also serves as an example of how fraudsters are increasingly finding opportunities in what some are calling the Wild West frontier of finance. The flash loan and the obfuscator used in the Indexed Finance case are just some of the tools fraudsters employ to steal millions of dollars of crypto assets from decentralized finance (DeFi) platforms and apps, which still have little or no regulatory oversight.