HACKING SMART CONTRACTS 22-year-old math wiz indicted for alleged DeFI hack that stole $65M 22-year-old Andean Medjedovic of Canada could spend decades in prison if convicted. Dan Goodin Feb 4, 2025 8:25 am | 19 Credit: Akos Stiller/Bloomberg via Getty Images Credit: Akos Stiller/Bloomberg via Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreFederal prosecutors have indicted a man on charges he stole $65 million in cryptocurrency by exploiting vulnerabilities in two decentralized finance platforms and then laundering proceeds and attempting to extort swindled investors.The scheme, alleged in an indictment unsealed on Monday, occurred in 2021 and 2023 against the DeFI platforms KyberSwap and Indexed Finance. Both platforms provide automated services known as liquidity pools that allow users to move cryptocurrencies from one to another. The pools are funded with user-contributed cryptocurrency and are managed by smart contracts enforced by platform software.Formidable mathematical prowessThe prosecutors said Andean Medjedovic, now 22 years old, exploited vulnerabilities in the KyberSwap and Indexed Finance smart contracts by using manipulative trading practices. In November 2023, he allegedly used hundreds of millions of dollars in borrowed cryptocurrency to cause artificial prices in the KyberSwap liquidity pools. According to the prosecutors, he then calculated precise combinations of trades that would induce the KyberSwap smart contract systemknown as the AMM, or automated market makersto glitch, as he wrote later.The scheme allegedly allowed Medjedovic to steal roughly $48.8 million from 77 KyberSwap liquidity pools on six public blockchains. He allegedly also tried to extort developers of the KyberSwap protocol, investors, and members of the decentralized autonomous organization (DAO). The prosecutors said the defendant offered to return 50 percent of the stolen cryptocurrency in return for him receiving control of the KyberSwap protocol.In an attempt to launder the proceeds later, prosecutors said, Medjedovic also used bridge protocols to transfer cryptocurrency from one blockchain to another through a cryptocurrency mixer designed to conceal the source of digital assets. After one bridge protocol froze several of his transactions, Medjedovic agreed to pay more than $80,000 to someone he thought had control of the bridge to circumvent restrictions and release approximately $500,000 in stolen cryptocurrency. That transaction, as will be explained shortly, ultimately led to his undoing.The prosecutors said Medjedovic spent months planning the attack by carefully identifying the best time to pull it off.The prosecutors said the other heist occurred in 2021, when Medjedovic used similar tactics to steal $16.5 million in cryptocurrency from Indexed Finance. The index pools on this platform function similarly to mutual funds or exchange-traded funds, except that rather than holding traditional equities, the index pools hold an index of digital tokens, which could be traded on the Ethereum platform.Justice Department officials explained:In October 2021, Medjedovic used manipulative trading to exploit two Indexed Finance liquidity pools on the Ethereum network. Medjedovic used hundreds of millions of dollars in borrowed cryptocurrencies to distort a process called re-indexing, which was used by the Indexed Finance smart contracts to add a new token to the liquidity pools. Medjedovic used the borrowed cryptocurrency to engage in manipulative trading to cause the Indexed Finance smart contracts to set artificial prices during the re-indexing process. He then stole approximately $16.5 million in investor cryptocurrency from the liquidity pools.Beginning after the Indexed Finance exploit, in or around 2022, Medjedovic conspired with another person to launder the proceeds of his illegal conduct through cryptocurrency exchange accounts that were opened using false information, and by using a cryptocurrency mixer. Among other things, Medjedovic maintained a step-by step playbook for moving large amounts of cryptocurrency through the mixer, which he titled a moneyMovementSystem. In other documents, Medjedovic discussed circumventing know your customer or KYC procedures and using cryptocurrency exchange accounts opened with false KYC information for hacks and cashing out.A Canadian national who holds a masters degree in mathematics from the University of Waterloo, Medjedovic has been at large since 2021, when officials in Ontario charged him with pulling off the heist against Indexed Finance. A charging document in that case alleged he leveraged his formidable mathematical prowess to devise and unleash a complex computer attack against Index Finance and essentially induced it to send him $15 million in others cryptocurrency tokens.The prosecutors said files they found on Medjedovics computer showed he planned to buy flights out of Canada to escape capture. The plan ultimately unraveled after he developed a relationship with someone who turned out to be an undercover law enforcement source. Medjedovic allegedly offered to pay the person roughly $86,559 to move funds off of platforms that had banned him for his alleged role in the KyberSwap attack.Details about the vulnerabilities that were exploited aren't clear. The indictment said the exploit "generally consisted of the following:(1) borrowing funds; (2) creating artificial prices in the KyberSwap Elastic liquidity pools; (3) submitting manipulative swaps to cause the KyberSwap Elastic AMM to miscalculate available liquidity at these artificial prices; (4) extracting liquidity from the KyberSwap Elastic liquidity pools; (5) repaying the flash loan; and (6) withdrawing tokens. Although the exploit involved numerous swaps, the swaps used to exploit each liquidity pool were submitted as a single cryptographic transaction, meaning that they were executed in nearly instantaneous succession, and the stepswere substantially similar in each of the drained liquidity pools. Publicly available event logs created during the exploit and programmed by MEDJEDOVIC catalog the steps of the exploit in each of the liquidity pools.The alleged hack is only the latest to target smart contracts, which in theory are enforced by code that can't be interfered with by humans once executed. In 2016, a crowdfunded investment fund known as The DAO was pushed to the brink of collapse after a smart contract drained $50 million in Ether currency by exploiting a bug residing in software functions individual investors used when cashing out of the fund. A similar smart contract hack played out again in 2021.The indictment unsealed on Monday charged Medjedovic with wire fraud, computer hacking, and attempted extortion. If convicted, he faces fines and decades in prison.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 19 Comments