After the Hack: Is EasyFi Trustworthy?

Mark April 29, 2021
0 Comments

The Facts

On Monday, April 19th, EasyFi, a decentralized finance protocol reported suffering a hack of over $80 million. In a blog post by CEO and founder Ankitt Gaur published later in the day, we learned:

  • The hacker transferred out 2.98 million EASY tokens worth around $25 for ~$75M
  • Also removed was $6 million from liquidity pools in U.S. dollars, DAI and tether (USDT).
  • The hack was accomplished via the network admin private MetaMask keys
  • The EasyFi smart contracts were not exploited.
  • He also offered a $1 million reward to the hacker for returning the funds in full.

I’m going to assume the best, that the Metamask keys were indeed stolen — but the question remains,

WHY DID ANY STILL-EXTANT ACCOUNT HAVE THE CAPABILITY TO PERFORM THESE OPERATIONS?

Once a complete DeFi system is set up, it should be entirely run by smart contracts.  No account should have the access/capability to do such things.  Any provisions to handle late-caught errors/anomalies and any future-proofing can be made secure by requiring multiple signatures (multi-sig) spread between a reasonable number of separate individuals.

Most DeFi systems have had their smart contracts audited — but this was not a smart contract exploit. This is a clear demonstration that the entirety of DeFi setups and configuration need to be audited from start to finish. I wonder how many other Defi systems have the same problematic loophole.

Despite promises, Gaur has not updated his post nor posted a new one in the week-plus that has passed. While there has been a lot of promises about a hard folk to recover the EASY tokens, the dollars, DAI and tether are gone. Further, even if the EASY tokens are returned, EASY holders have still lost a lot of value as the price of EASY has dropped substantially.

Worst of all, there has been no talk (that I can find) of preventing this vulnerability in the future.

Personally, I have a decent amount invested in DeFi. I have it spread out across a number of systems for exactly this reason — but many of them run through PancakeSwap so, if that has a vulnerability, I do have less diversity and thus more exposure than I would prefer. So, obviously, I want to raise a clamor about this vulnerability and get as many assurances as possible that a similar situation does not exist where I have my crypto.

As for EasyFi, not only was this was an obvious vulnerability just waiting to be exploited — but the EasyFi personnel were clearly aware of it since Gaur talked about keeping the machine off-line most of the time so that the window of vulnerability was smaller. Indeed, it would be interesting to see if someone could take legal action against Gaur and the team. Clear promises were made despite the fact that they were aware of the vulnerability.

The Opinion

So, do *I* trust EasyFi?
Not only would that be an emphatic **NO!**
but *I* will avoid anything associated with these individuals in the future.

Originally posted on the Hive blogging blockchain here

Categories: Uncategorized
Tags: , ,
Mark

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .