The Math Prodigy Whose Hack Upended DeFi Won’t Give Back His Millions

The Math Prodigy Whose Hack Upended DeFi Won’t Give Back His Millions

An 18-year-old graduate student exploited a weakness in Indexed Finance’s code and opened a legal conundrum that’s still rocking the blockchain community. Then he disappeared.

On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens—like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. “If you didn’t know what you were looking at, you might say, ‘Nice-looking trade,’ ” Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn’t have been possible. Something was very wrong.

Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom’s living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. “All I said was, ‘What?’ ” Kellar recalls.

relates to The Math Prodigy Whose Hack Upended DeFi Won’t Give Back His Millions


Photographer: Joanne Coates for Bloomberg Businessweek

They pulled out their laptops and dug into the platform’s code, with the help of a handful of acquaintances and Day’s cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets.

Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform’s Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed’s hundreds of users and took responsibility for the vulnerability he’d failed to detect. “I f—ed up,” he wrote.

The question now was who’d launched the attack and whether they’d return the funds. Most crypto exploits are assumed to be inside jobs until proven otherwise. “The default is going to be, ‘Who did this, and why is it the devs?’ ” Day says.

As he tried to sleep the morning after the attack, Day realized he hadn’t heard from one particular collaborator. Weeks earlier, a coder going by the username “UmbralUpsilon”—anonymity is standard in crypto communities—had reached out to Day and Kellar on Discord, offering to create a bot that would make their platform more efficient. They agreed and sent over an initial fee. “We were hoping he might be a regular contributor,” Kellar says.

Given the extent of their chats, Day would have expected UmbralUpsilon to offer help or sympathy in the wake of the attack. Instead, nothing. Day pulled up their chat log and found that only his half of the conversation remained; UmbralUpsilon had deleted his messages and changed his username. “That got me out of bed like a shot,” Day says.

He shared his suspicions with the team, who over the next few days combed the attacker’s digital trail. They discovered that the Ethereum wallet used to transfer tokens during the attack was connected to another wallet used to collect winnings in a recent hacking contest by a participant who sometimes identified himself as UmbralUpsilon. Pulling up the participant’s registration, they saw that it linked to a profile on the collaborative coding platform GitHub.

The GitHub profile had been created by someone whose email address began with “amedjedo” and was associated with a domain owned by a public school board in Ontario. Day and his colleagues also found a Wikipedia contributor with a username similar to the one on GitHub. The Wikipedia editor had once altered the page for a popular Canadian quiz competition for high school students, adding a name under “Alumni”: “Andean Medjedovic, notable mathematician.” Google filled in the rest. Medjedovic had until recently been a master’s student at the University of Waterloo in Ontario, specializing in mathematics. His résumé said he had an interest in cryptocurrency.

The team breathed a sigh of relief. Once cyberattackers have been identified, they often return funds in exchange for a face-saving bounty and credit for being a “white hat” hacker. Day had already contacted UmbralUpsilon to offer a 10% reward for the tokens’ safe return, striking a note of grudging praise—“well played,” he wrote—but hadn’t heard back. So Kellar tried a different tactic, messaging Medjedovic and addressing him as “Andean.” This time Medjedovic reacted, taunting Indexed users publicly on Twitter: “You were out-traded. There is nothing you can do about that. … Such is crypto.” When a team member emailed him independently, saying that if he returned the tokens they’d pay him $50,000, Medjedovic responded with a link to an Ethereum address. “Send the money over,” he wrote. They didn’t take the bait from their tormentor—who they’d learned, to their astonishment, was only 18 years old.

Finally Kellar texted Medjedovic to make one last plea before, he said, they would be forced to bring in lawyers and police. “I implore you to give up now and make this easy on yourself,” he wrote. The teenager responded with “Xdxdxd,” an emoticon that evokes dying of laughter, and added, “Best of luck.”

relates to The Math Prodigy Whose Hack Upended DeFi Won’t Give Back His Millions


Photographer: Cindy Elizabeth for Bloomberg Businessweek

When Kellar and his co-founders created Indexed, they imagined it as a step forward for DeFi, or decentralized finance, a blockchain-based movement that purports to offer a more automated, less intermediated version of borrowing and lending, asset trading, and portfolio management. Some proponents take a utilitarian view of DeFi, considering it an improved version of traditional finance, with its fee-taking middlemen and sluggish human decision-making. Others are more libertarian, seeing DeFi as an escape from the existing system, a way of circumventing the rules and restrictions imposed by governments or corporations. Then there are the skeptics, who think it’s all a grift.

Kellar, who describes himself as “very progressive,” fits squarely into the utilitarian camp. At age 23, after dropping out of the University of Texas at Dallas when computer science classes weren’t teaching him anything new, he started Indexed to solve a problem: What if you wanted to trade crypto but didn’t want the daily hassle of managing a portfolio?

In traditional finance, investors who want a wide, balanced array of stocks can purchase shares of index funds, outsourcing the day-to-day job of buying and selling the stocks to a portfolio manager. Kellar went about creating a similar arrangement on the blockchain, but with an algorithm driving the trading. Whereas an index fund manager would maintain a portfolio containing the underlying assets of an index share, the Indexed algorithm maintained a “pool” of underlying tokens for each index token. Users could swap one or all of the underlying assets into the pool in exchange for an index token—a process called “minting.” They could likewise “burn” an index token by trading it back into the pool in exchange for one or all of the underlying assets. Or, as with an exchange-traded fund, users could simply buy or sell index tokens on decentralized exchanges such as Uniswap.

Index funds take various forms, each with a different investment strategy. Some, such as the S&P500, are market-capitalization-weighted: If the value of one of its stocks goes up, the proportional value of that stock within the portfolio rises accordingly. Others seek to maintain a fixed balance of stocks. For example, if you wanted Microsoft shares to consistently make up 20% of your portfolio, and the value of the stock went up, the portfolio manager would sell shares of Microsoft to maintain its 20% weight.

Kellar and his team modeled Indexed on that type of fund, using a mechanism called an “automated market-maker” to maintain the balance of underlying assets, as many DeFi platforms do. Unlike a traditional market-maker, the AMM wouldn’t buy and sell assets itself; instead it would help the pool reach its desired asset balance by adjusting the “pool price” of component tokens to give traders an incentive to buy them from the pool or sell them into it. When the pool needed more of a particular token, its price within it would rise; when the pool needed less, the price would decline. This model assumed users would interact rationally with the protocol, buying low and selling high.

By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.) It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token. This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”

But passivity also created risk. If there was a problem with the code, someone could exploit it directly, without needing to bypass any human safeguards. And limiting blockchain interactions to cut costs entailed a trade-off: When a smart contract—a script that executes automatically when certain criteria are met—has fewer steps, it can leave more room for security vulnerabilities. The list of exploited crypto platforms is long and grows by the week: Poly Network, Wormhole, Cream Finance, Rari Capital, and many more. “There’s a common saying in DeFi that there are two types of protocols,” Day says. “Those that have been hacked and those that are going to be hacked.”

Kellar was aware of one possible pathway for attacks: the mechanism Indexed used to introduce a token to a pool. When such a “reindexing” occurs—after, say, one token has overtaken another in market value to qualify for inclusion in a blue-chip fund—the pool sets the new token’s initial price using a complex equation. One variable of that equation is the value of the benchmark token; if you could somehow futz with the pool’s pricing of that token, you could theoretically compel the pool to misprice its other tokens.

“I spent at least two weeks looking into this,” Kellar says. But he couldn’t find any errors, nor could two security researchers he paid to examine the code. So, he says, “I decided this is not an attack vector.” Still, Indexed posted a warning on its website: “We are confident in the security of our contracts … [but] we can not be absolutely certain that no mistakes were overlooked.”

The platform made its debut in December 2020, initially offering two index tokens: CC10, representing 10 of the top Ethereum-based tokens by market capitalization, and DEFI5, representing five top DeFi tokens. The project soon garnered a small but devoted following, including Day. He had a Ph.D. in theoretical computer science and a master’s in financial engineering, for which he’d written a thesis on stock-market index portfolio optimization. Indexed aligned with his interests and his relatively low appetite for risk. “I’m fundamentally, when it comes to investing outside crypto, quite boring,” he says.

Day and Kellar got along well. They shared an absurdist, extremely online sense of humor, and as a finance expert with a writerly bent and a creative coder, respectively, they had complementary skills. “I’m very much the wordcel to Dillon’s shape rotator,” says Day, who’s 33. He quit his job at an oil and gas company and joined Indexed full-time in April 2021.

Propelled by a surge in crypto interest that year, Indexed took off, soon becoming the second-biggest Ethereum-based index protocol by value, after Index Coop. They scaled up their ambitions, rolling out index tokens and planning an upgrade that would allow the assets in the pools to earn interest. The DeFi platform Balancer, on which Indexed had modeled its code, was impressed enough that it gave Indexed a grant—a vote of confidence in its future.

When Indexed went live, Medjedovic, who goes by Andy, had just started working on his master’s degree. He was on his way to finishing it in a year. He tended to do things quickly. He’d taken 10th grade math in elementary school, graduated from high school at 14, and cruised through his bachelor’s in three years at Waterloo, one of Canada’s top schools for math and computer science and the alma mater of Ethereum co-founder Vitalik Buterin. By fall 2021, Medjedovic had presented his master’s thesis on random matrix theory and was planning to apply to Ph.D. programs. “I can’t think of any other student in my time here who has gotten that degree that early,” says David Jao, a professor of mathematics at Waterloo.

As advanced as Medjedovic was academically, his social maturity lagged. One former classmate, who requested anonymity to speak candidly about sensitive matters, recalls him being “self-confident to the point of arrogance” and openly condescending to students he deemed less intelligent. “Whenever he did or said something, he believed it was infallible, the absolute truth,” the classmate says. Medjedovic apparently flirted with extremist ideas: The classmate says he heard him speak favorably about White supremacy and eugenics. (Medjedovic didn’t respond to requests for comment about this before publication.)

Still, Medjedovic made friends, connecting with them through activities such as chess and the video game League of Legends. He also enjoyed reading fiction, particularly sci-fi. His profile on one social network included a quote from Kurt Vonnegut’s Cat’s Cradle about the futility of humanity’s quest for knowledge: “Tiger got to hunt, bird got to fly; Man got to sit and wonder ‘why, why, why?’ Tiger got to sleep, bird got to land; Man got to tell himself he understand.”

Medjedovic was also becoming a proficient coder, regularly participating in an online hacking competition called Code4rena, or C4, in which developers compete for prize money put up by companies to find security flaws in their systems. He managed to win rewards in two C4 competitions. “He seemed pretty friendly and cool,” says Adam Avenir, who helps run C4 and corresponded with Medjedovic before and after the Indexed attack. “Like a young, earnest kid.”

Medjedovic took an interest in DeFi, particularly the mechanics of AMMs. “Whenever I would hear of a new type of DeFi product I would take a close look at how it operates and throw some money into it if I came up with a good idea,” he said in an email. (Medjedovic declined requests for a phone interview but agreed to answer questions over email.) He estimated he spent hundreds of hours “playing around with the math behind them, experimenting with the profitability of different strategies.” He then wrote bots that would execute arbitrage trades on those platforms, turning a small profit and helping the pools run more efficiently.

After reading about Indexed on a forum, he pored over its smart contract and noticed a “mispricing opportunity” in the code—the instrument Kellar had worried might let users distort the pool’s internal price calculations when new tokens were being introduced. He also saw it was possible to circumvent a safeguard limiting the size of certain trades within the pool. “At first, I didn’t believe it,” he said. He ran the calculations a few times, and, “on paper, it worked.” He spent the next month writing a script to exploit the vulnerability.

He also reached out to the Indexed team on Discord as UmbralUpsilon, asking basic questions about asset mix and pricing and offering to write an arbitrage bot for the platform. In retrospect, Day says, “I suspect he might have been angling to see if I could open up a crack for him to get into.” Kellar and Day say the information they shared wasn’t instrumental in the attack.

Finally, in mid-October, Medjedovic was ready to deploy the code. And just as important, two of the biggest Indexed pools were ripe for “reindexing.” All they needed was a user to introduce a minimal amount of the new token—in both cases, Sushi, the token corresponding to the DeFi exchange SushiSwap.

Exploiting the vulnerability required hundreds of commands, which court documents later took dozens of pages to explain. But the process contained a few key steps. For his attack on the pool of tokens that made up the DEFI5 index (and later, on the CC10 pool), Medjedovic wrote a program that took out a “flash loan”—a mechanism in crypto trading that gives users access to funds as long as they’re returned within the same set of preprogrammed transactions—worth $157 million. His script then used a large chunk of the borrowed funds to buy up nearly all of the pool’s UNI, the token corresponding to the DeFi exchange Uniswap. The sudden undersupply of UNI caused its price within the pool to skyrocket, as the algorithm sought to incentivize traders to stop swapping UNI out and start swapping it back in to restore its original balance. The more UNI Medjedovic bought, the more the price increased, eventually reaching 860 times its external market price. In total, he spent $109 million worth of tokens to buy up UNI that was really worth only $5.2 million.

The Attack on DEFI5: 1 Program, 7 Key Steps

It would have been a crazy trade on its face, except that UNI played a unique role in the DEFI5 pool. It was the benchmark token—the one from which the pool extrapolated its total value. With the amount of UNI in the pool dramatically reduced, the pool was now estimating its own value to be 380 times smaller than it really was. As a result, the amount of the newly introduced token, Sushi, that would have been required to mint DEFI5 tokens plummeted. If he’d wanted, Medjedovic could now have traded $3,200 worth of Sushi for DEFI5 tokens worth $1,172,000. And had he simply done that, Indexed would have been fine. The protocol places limits on the amount of a new token that users can swap into the pool, so he would have been able to extract only about 1.5% of the pool’s value—which, given transaction fees, wouldn’t have been profitable for him.

Instead, Medjedovic’s script took out another flash loan consisting of $2.4 million worth of Sushi tokens. And rather than swapping them into the pool, it gifted them to it—a seemingly irrational move that Indexed’s algorithm wasn’t designed to handle. The “donation” overwhelmed the pool and circumvented its usual trade limit for new tokens. This allowed Medjedovic’s program to freely trade overvalued Sushi for undervalued DEFI5 tokens, then cash those out for the pool’s underlying assets, pay back the loans, and keep the rest, now worth $11.9 million. The attack on the CC10 pool brought the total haul to $16 million.

Medjedovic, in his emails, recalled being surprised the exploit succeeded. “I only had a few tries to get it right,” he wrote, before he would run out of funds to pay for blockchain transaction fees.

“It was definitely very impressive,” Kellar says. “But it was a poor use of his talent.”

If Medjedovic ever considered returning the tokens, it wasn’t for long. After the Indexed team identified him, he posted a defiant poem on Twitter: “A single frog hops in the pool, does something cool;/ To boil him, they try. ‘Don’t arb that,’ and they start to cry./ But the frog is not dismayed, for he has god on his side.” Commenters egged him on. One posted crown emojis. Another wrote, “I love this guy.”

Some called out his use of racist language and tropes: The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he’d written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.

The weeks after the attack were hell for Kellar and Day. They rushed between rebuilding the protocol, fielding blowback online, and devising a compensation plan for their token-holders. In a cruel turn, Day’s cat, Finney, was hit by a car and died.

On Dec. 9, nearly two months after the attack, Kellar and Day filed a lawsuit against Medjedovic in Ontario, arguing that his actions amounted to fraud and that he should be forced to return the tokens to their original owners. It turned out they weren’t the first to do so. An anonymous Delaware-registered company called Cicada 137 LLC had already sued Medjedovic, but the case had been sealed, and Kellar and Day didn’t learn about it until they filed their own motion. According to the complaint, Cicada 137 represents the largest holder of tokens lost in the exploit, which were worth about $9 million at the time of the attack. (Benjamin Bathgate, a lawyer for Cicada 137, declined to identify his client or clients.)

By the time Kellar and Day went to court, Cicada had already obtained an order freezing the disputed tokens. The court couldn’t actually control Medjedovic’s wallets, but he’d now be breaking the law if he moved them. Cicada also got an order for a search of Medjedovic’s parents’ house, where he’d been living. But when the search was executed on Dec. 6, he’d already left, taking his computer equipment with him. His parents and younger brother said they didn’t know where he was.

In their complaint, lawyers for Kellar and Day argued that two particular steps of the attack violated statutes against market manipulation and computer hacking. One was swapping almost all the UNI tokens out of the DEFI5 pool, the otherwise irrational trade that distorted the pricing such that Medjedovic could buy tokens out from under Indexed users, who were forced by the algorithm to sell. “The only purpose of that trade was to mislead token holders to part with tokens on terms they never would have agreed to,” says Stephen Aylward, a lawyer representing Kellar and Day. “We say that’s a form of market manipulation.” The same argument applied to Medjedovic’s interaction with the CC10 pool.

The second illegal transaction, they argued, was when Medjedovic overwhelmed the pool with free Sushi, thereby tricking the algorithm into letting him bypass the size limit on certain trades. Aylward calls this “an intentional act by Andean to disable a security measure, like disabling the security system at a bank.” He argues that this falls under Canada’s “extremely broad” legal definition of a hack, which can be interpreted as “subverting the intended purpose of a computer system.”

Medjedovic hasn’t officially responded to either suit; he told me he doesn’t even have a lawyer in Ontario. But in our email exchanges, he argued that he’d executed a perfectly legal series of trades. Nothing he did “involves getting access to a system I was not allowed access into,” he said. “I did not steal anyone’s private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.” Medjedovic added that he’d taken on “substantial risk” in pursuing this strategy. If he’d failed he would have lost “a pretty large chunk of my portfolio.” (The 3 ETH he stood to lose in fees was worth about $11,000 at the time.)

The case raises several tricky questions about how people should be allowed to interact with code on the blockchain. For instance, the plaintiffs allege that Medjedovic made a “false representation” by manipulating the value of the tokens in the pools. But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it’s a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”

And if Medjedovic was engaged in deception, who was being deceived? That’s one basis on which Andrew Lin, a Dallas-based lawyer who advises Medjedovic but isn’t formally involved in the Ontario cases, rejects the false representation argument. “It’s unclear who he made a misrepresentation to,” Lin says. “He set forth lines of code. The code itself is neither true nor false.”

It’s impossible to predict how a judge would rule without knowing all the facts that might emerge during discovery, says Andrea Matwyshyn, a professor of law and engineering at Pennsylvania State University who studies cybersecurity. But the case is hardly clear-cut, especially considering Medjedovic’s argument that he took on risk. “People on Wall Street often make a lot of money very quickly when they see a gap and do strategic research,” Matwyshyn says. “I can imagine a world where a judge weighs various factors, after examining the technical and financial specifics of a scenario like this, and reaches the conclusion that there were variables that make this conduct more akin to a highly speculative trading scenario.”

Adding to the uncertainty is the legal and regulatory gray area in which DeFi operates. Anyone with the technical know-how can create an investment vehicle, put it online, and expose users to possible exploits. US Securities and Exchange Commission Chair Gary Gensler has indicated he plans to rein in crypto trading platforms, and Dan Berkovitz, a former commissioner at the Commodities Futures Trading Commission and now general counsel at the SEC, has called DeFi a “Hobbesian marketplace” with products that violate statutes on commodities trading. In March, the White House issued an executive order calling for regulations that would, among other goals, “reduce the risks that digital assets could pose to consumers, investors, and business protections.”

Proposed regulations might not have prevented the attack on Indexed, but they could help reduce risk and inform traders about potential hazards, says Ryan Clements, a law professor at the University of Calgary. “Code audits” by accredited parties, for example, could be required prior to launch, as well as real-name registration. However, Clements says, enforcement would be a challenge. Governments can’t “block” decentralized platforms the way they can websites, since they operate on globally distributed blockchains. And even if they could, copycat platforms might appear.

DeFi purists would prefer to keep governments away from their platforms. Chris Blec, who runs the watchdog site DeFi Watch, tweeted that the attack on Indexed was “an embarrassment for DeFi” and criticized the team for turning to a centralized institution like the courts for help. Kellar says he doesn’t see an alternative—it’s not like DeFi has its own justice system. And anyway, he believes DeFi should operate within the existing legal framework. “I think it should be decentralized in terms of governance and the management of projects,” he says. “But you need a central authority to enforce basic rules.”

A week after Kellar and Day filed their suit, Medjedovic appeared at a virtual hearing held over Zoom. His camera was off, and he barely spoke. The judge ordered him to either transfer the disputed assets to a neutral third party or to appear in court in person the following week. When the deadline arrived, Medjedovic still hadn’t transferred the tokens, and he failed to show up. The judge issued a warrant for his arrest.

The case is now in limbo until authorities can locate Medjedovic or he decides to appear. In a noncrypto case, if the plaintiffs obtained a default judgment, the court could simply order his bank to freeze his account or turn over his assets. But because of the nature of crypto wallets, which can be accessed only with a private key, authorities can’t get the tokens without Medjedovic. When I asked him if he’d spent any of the profits, he said, “I don’t believe in spending money.” Someone did recently move almost $400,000 worth of tokens from a wallet used in the Indexed attack to what appears to be a cryptocurrency mixing service, which makes tokens untraceable, suggesting that Medjedovic might be accessing some of the funds.

Almost everyone I spoke with wants him to surface, if not so they can get their money back, then so a court can address the thorny legal questions involved. Bathgate, the lawyer for Cicada 137, says there’s “good reason to believe” Medjedovic has fled the country. Law enforcement organizations in Ontario say they’re not actively pursuing him, and the Royal Canadian Mounted Police and FBI declined to comment. But hiding out won’t make his legal troubles go away. “I can assure Andean Medjedovic that litigation is not like a fine wine that improves with age,” wrote Judge Frederick Myers, who’s hearing the case.

Medjedovic doesn’t seem interested in public sympathy, to put it mildly. In his emails to me, he alternated between straightforward answers and apparent trolling. When I asked if he had anyone giving him advice, he went with the latter: “I’ve been exchanging DMs with my mentor, Peter Thiel, through all of this. … He was the one egging me on to do it!” (A representative for Thiel declined to comment.) Other answers included references to “ancestor simulations,” families with “diamonds they have stored extraterrestrially,” and a United Nations program “to sneak down other people’s chimneys and leave copies of Thucydides under their pillows.” The question of whether he means what he says is, per the tenets of internet s—posting, almost quaint.

As for his future, Medjedovic was insouciant: “I’m not concerned about ‘getting a job.’ Waging in the cage is not my idea of a good life.” He didn’t rule out the possibility of creating his own products: “If I ever get an idea for a necessary and useful technology I will, of course, build it. So far I haven’t had any divine inspiration on that front.”

In the meantime, the Indexed team pushes on. It launched an index token in January, but the platform’s total value has dropped even further since then, in step with the entire DeFi space, and the planned upgrade has been put on hold. “Neither of us really has the same drive to work on the project after all that’s happened,” Kellar says. Day adds that “most people recognize that Indexed isn’t coming back in force.”

On the bright side, Day has a new cat, Katniss. And as painful as the attack and its aftermath have been, it has brought attention: Kellar and Day are both fielding job offers in DeFi. Day is also applying to law schools. “There’s not many people who can bridge that divide between technical and legal frameworks,” he says. “I figured I’ll do it myself.”

In February, with Medjedovic still hiding out, Kellar and Day flew out to the ETHDenver convention, attending parties and panels and meeting fellow developers. But they spent most of their time talking to each other. It was their first-ever IRL hang, and they had much to discuss. Day commemorated the moment with a selfie of the two of them, Day grinning and Kellar looking bemused, and tweeted it with a caption: “Shape rotator squad roll out.”