$126 000 000 USD

APRIL 2021




"EasyFi is a Layer 2 DeFi lending protocol designed for digital assets powered by the Polygon (formerly Matic) Network. It launched on Binance Smart Chain in early April and partnered with PancakeSwap for yield farming incentives." "EasyFi is a very new project which has received a lot of love & support from its users being the one of early movers on the layer 2 Polygon network."


"Founder and CEO Ankitt Gaur admitted in a blog that the hacker compromised private keys to EasyFi’s admin MetaMask account around 10:40 AM UTC on Apr. 19." "[M]alicious hackers under a well planned sophisticated attack, attacked the founder’s machine remotely to access mnemonic keys/admin keys and were able to drain protocol pools to the tune of $6 million of user’s deposits (from USDT/USDC/Matic/ETH/DAI markets)." "The hack, which took place 19 April, is considered to be among the largest in DeFi history, with $6 million in stablecoins and 2.98 million EZ tokens worth upwards of $120 million lost at the time of the attack."


"According to Gaur, the EasyFi smart contracts were not exploited and only the mnemonic phrase and admin keys for the network’s MetaMask account were compromised. Following a brief post-mortem, the EasyFi team concluded that the hack wasn’t a result of a MetaMask phishing attack. Instead, the physical computer used to execute official transactions was compromised and the wallets were accessed directly from the hard drive." "This is a mnemonic key hack. The EasyFi smart contracts were not exploited and only mnemonic phrase/admin keys were compromised from the metamask under a planned remote attack which was used to drain liquidity from the protocol. The physical machine was not tampered with, and it seems to be the issue with some remote access as might have been previously used on Hugh Karp."


"EasyFi’s native token crashed almost 50% as the news broke, falling from around $26 to $13.50 in under 24 hours." "Commentators on social media criticized EasyFi for using a hot MetaMask wallet for managing its smart contract." CEO Ankit Gaur "offered a $1 million reward to the hacker for returning the funds in full." "In a message to CoinDesk, Guar has confirmed that plans for a hard fork to recover funds are in the works." "Team EasyFi has decided, as communicated earlier, to create a new token contract (EASY V2)." "After another round of consultations and suggestions from large exchanges, forensic agencies, stakeholders & partners, it has been decided that the #EasyFi token ticker will be changed from $EASY to $EZ after the hard fork." "EasyFi shall rise from the ashes and reclaim the glory that has been lost in this unfortunate incident."

Decentralized code offers no opportunity to cancel or reverse even obviously fraudulent requests. This was made worse by managing the entire contract from what was effectively a hot wallet.


This type of situation is easy to prevent with proper training and a multi-signature setup for all transactions.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.