EasyFi Hacked for Over $80 Million in MetaMask Attack
CEO said hackers compromised the Metamask browser extension by hacking into his computer.
- EasyFi CEO said that private keys to the project's admin MetaMask account had been compromised.
- Using the compromised private key, the hacker drained $6 million from EasyFi's stable coin liquidity pools.
- Hacker additionally stole 2.98 Million EASY tokens worth $75m at the time of the hack.
Share this article
EasyFi Network, a Layer-2 DeFi project on Polygon Network, reported that an unknown hacker stole tens of millions of dollars worth of funds from its official wallet.
Admin MetaMask Wallet Compromised
Founder and CEO Ankitt Gaur admitted in a blog that the hacker compromised private keys to EasyFi’s admin MetaMask account around 10:40 AM UTC on Apr. 19.
“Mnemonic phrase/admin keys were compromised from the MetaMask under a planned remote attack which was used to drain liquidity from the protocol,” Gaur wrote.
Using the compromised private key, the hacker drained $6 million from EasyFi’s stablecoin liquidity pools. They additionally stole 2.98 million EASY tokens worth $75 million at the time of the hack.
As mentioned earlier, users are requested NOT to interact with ANY of the contracts including $EASY token contract. Abstain from keeping any liquidity in DEXes.
We are in process of implementing an EASY token Hard Fork!
— @easyfi.network (@EasyfiNetwork) April 20, 2021
CEO Gaur further explained hackers compromised the Metamask browser extension by hacking into his computer.
“My computer was compromised, and Metamask was altered from the disk.”
Funds drained from liquidity pools were sent to Ren Bridge on Ethereum, converted into 123 Bitcoin, and sent to this Bitcoin address. Meanwhile, the stolen EasyFi tokens sit at the hacker’s Ethereum address.
Commentators on social media criticized EasyFi for using a hot MetaMask wallet for managing its smart contract.
2/ Multiple issues here.
First and most obvious, the poor security of the admin key.
The team apparently thought that a hot wallet w/ 12-word seed phrase would be satisfactory since the computer it was on was only used for "official transfers".
Obviously, that was a mistake. pic.twitter.com/ZTi777GxYl
— Chris Blec (@ChrisBlec) April 20, 2021
This incident is not the first time a noteworthy DeFi project was sabotaged using MetaMask wallet.
In December 2020, a fake MetaMask popup was used to trick the founder of Nexus Mutual into transferring more than 8 million to a hacker. In both cases, the MetaMask web extension was altered through the machine’s disk.
EasyFi has requested users not to interact with its token contracts and withdraw all liquidity in various DEXes.
The team is planning to implement an EASY token hard fork to recover the lost funds. Meanwhile, exchanges have suspended withdrawal and deposit of EASY tokens for the time being.
The hack harmed the value of EASY tokens, with price tumbling from ~$25 to $16.82 at the time of writing, as per CoinGecko.