$126 000 000 USD
DESCRIPTION OF EVENTS
"EasyFi is a Layer 2 DeFi lending protocol designed for digital assets powered by the Polygon (formerly Matic) Network. It launched on Binance Smart Chain in early April and partnered with PancakeSwap for yield farming incentives." "EasyFi is a very new project which has received a lot of love & support from its users being the one of early movers on the layer 2 Polygon network."
"Founder and CEO Ankitt Gaur admitted in a blog that the hacker compromised private keys to EasyFi’s admin MetaMask account around 10:40 AM UTC on Apr. 19." "[M]alicious hackers under a well planned sophisticated attack, attacked the founder’s machine remotely to access mnemonic keys/admin keys and were able to drain protocol pools to the tune of $6 million of user’s deposits (from USDT/USDC/Matic/ETH/DAI markets)." "The hack, which took place 19 April, is considered to be among the largest in DeFi history, with $6 million in stablecoins and 2.98 million EZ tokens worth upwards of $120 million lost at the time of the attack."
"According to Gaur, the EasyFi smart contracts were not exploited and only the mnemonic phrase and admin keys for the network’s MetaMask account were compromised. Following a brief post-mortem, the EasyFi team concluded that the hack wasn’t a result of a MetaMask phishing attack. Instead, the physical computer used to execute official transactions was compromised and the wallets were accessed directly from the hard drive." "This is a mnemonic key hack. The EasyFi smart contracts were not exploited and only mnemonic phrase/admin keys were compromised from the metamask under a planned remote attack which was used to drain liquidity from the protocol. The physical machine was not tampered with, and it seems to be the issue with some remote access as might have been previously used on Hugh Karp."
"EasyFi’s native token crashed almost 50% as the news broke, falling from around $26 to $13.50 in under 24 hours." "Commentators on social media criticized EasyFi for using a hot MetaMask wallet for managing its smart contract." CEO Ankit Gaur "offered a $1 million reward to the hacker for returning the funds in full." "In a message to CoinDesk, Guar has confirmed that plans for a hard fork to recover funds are in the works." "Team EasyFi has decided, as communicated earlier, to create a new token contract (EASY V2)." "After another round of consultations and suggestions from large exchanges, forensic agencies, stakeholders & partners, it has been decided that the #EasyFi token ticker will be changed from $EASY to $EZ after the hard fork." "EasyFi shall rise from the ashes and reclaim the glory that has been lost in this unfortunate incident."
Decentralized code offers no opportunity to cancel or reverse even obviously fraudulent requests. This was made worse by managing the entire contract from what was effectively a hot wallet.
HOW COULD THIS HAVE BEEN PREVENTED?
This type of situation is easy to prevent with proper training and a multi-signature setup for all transactions.
EasyFi Security Incident Pre-Post-Mortem (May 11)
DeFi Protocol EasyFi Reports a Loss of Over $80M From Hack (May 11)
EasyFi Security Incident (May 11)
EasyFi Network Details $6M DeFi Hack in Latest Postmortem - BeInCrypto (May 11)
Reeling from post-hack price slump, Easyfi reveals community compensation plan (May 11)
EasyFi Network Details $6M DeFi Hack in Latest Postmortem (May 11)
EasyFi Hack Was Caused by Compromised Admin Keys - The Chain Bulletin (May 11)
EasyFi Hacked for Over $80 Million in MetaMask Attack | Crypto Briefing (May 12)
SlowMist Hacked - SlowMist Zone (May 18)