The Math Prodigy Whose Hack Upended A Crypto Platform Won't Return Funds

On October 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed.

On October 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens—like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. “If you didn't know what you were looking at, you might say, ‘Nice-looking trade,' ” Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn't have been possible. Something was very wrong.

Day jumped up, spilling his food on the floor, and ran into his bedroom to call Dillon Kellar, a co-founder of Indexed. Kellar was sitting in his mom's living room six time zones away near Austin, disassembling a DVD player so he could salvage one of its lasers. He picked up the phone to hear a breathless Day explaining that the platform had been attacked. “All I said was, ‘What?' ” Kellar recalls.

They pulled out their laptops and dug into the platform's code, with the help of a handful of acquaintances and Day's cat, Finney (named after Bitcoin pioneer Hal Finney), who perched on his shoulder in support. Indexed was built on the Ethereum blockchain, a public ledger where transaction details are stored, which meant there was a record of the attack. It would take weeks to figure out precisely what had happened, but it appeared that the platform had been fooled into severely undervaluing tokens that belonged to its users and selling them to the attacker at an extreme discount. Altogether, the person or people responsible had made off with $16 million worth of assets.

Kellar and Day stanched the bleeding and repaired the code enough to prevent further attacks, then turned to face the public-relations nightmare. On the platform's Discord and Telegram channels, token-holders traded theories and recriminations, in some cases blaming the team and demanding compensation. Kellar apologized on Twitter to Indexed's hundreds of users and took responsibility for the vulnerability he'd failed to detect. “I f---ed up,” he wrote.