On Monday, April 19th, EasyFi, a decentralized finance protocol reported suffering a hack of over $80 million. In a blog post by CEO and founder Ankitt Gaur published later in the day, we learned:
- The hacker transferred out 2.98 million EASY tokens worth around $25 for ~$75M
- Also removed was $6 million from liquidity pools in U.S. dollars, DAI and tether (USDT).
- The hack was accomplished via the network admin private MetaMask keys
- The EasyFi smart contracts were not exploited.
- He also offered a $1 million reward to the hacker for returning the funds in full.
I’m going to assume the best, that the Metamask keys were indeed stolen — but the question remains,
WHY DID ANY STILL-EXTANT ACCOUNT HAVE THE CAPABILITY TO PERFORM THESE OPERATIONS?
Once a complete DeFi system is set up, it should be entirely run by smart contracts. No account should have the access/capability to do such things. Any provisions to handle late-caught errors/anomalies and any future-proofing can be made secure by requiring multiple signatures (multi-sig) spread between a reasonable number of separate individuals.
Most DeFi systems have had their smart contracts audited — but this was not a smart contract exploit. This is a clear demonstration that the entirety of DeFi setups and configuration need to be audited from start to finish. I wonder how many other Defi systems have the same problematic loophole.
Despite promises, Gaur has not updated his post nor posted a new one in the week-plus that has passed. While there has been a lot of promises about a hard folk to recover the EASY tokens, the dollars, DAI and tether are gone. Further, even if the EASY tokens are returned, EASY holders have still lost a lot of value as the price of EASY has dropped substantially.
Worst of all, there has been no talk (that I can find) of preventing this vulnerability in the future.
Personally, I have a decent amount invested in DeFi. I have it spread out across a number of systems for exactly this reason — but many of them run through PancakeSwap so, if that has a vulnerability, I do have less diversity and thus more exposure than I would prefer. So, obviously, I want to raise a clamor about this vulnerability and get as many assurances as possible that a similar situation does not exist where I have my crypto.
As for EasyFi, not only was this was an obvious vulnerability just waiting to be exploited — but the EasyFi personnel were clearly aware of it since Gaur talked about keeping the machine off-line most of the time so that the window of vulnerability was smaller. Indeed, it would be interesting to see if someone could take legal action against Gaur and the team. Clear promises were made despite the fact that they were aware of the vulnerability.
So, do *I* trust EasyFi?
Not only would that be an emphatic **NO!**
but *I* will avoid anything associated with these individuals in the future.
Originally posted on the Hive blogging blockchain here