- The hacker transferred out 2.98 million EASY tokens worth around $25 for ~$75M
- Also removed was $6 million from liquidity pools in U.S. dollars, DAI and tether (USDT).
- The hack was accomplished via the network admin private MetaMask keys
- The EasyFi smart contracts were not exploited.
- He also offered a $1 million reward to the hacker for returning the funds in full.
I'm going to assume the best, that the Metamask keys were indeed stolen -- but the question remains,
WHY DID ANY STILL-EXTANT ACCOUNT HAVE THE CAPABILITY TO PERFORM THESE OPERATIONS?
Once a complete DeFi system is set up, it should be entirely run by smart contracts and no account should have access to do such things. Any provisions to handle late-caught errors/anomalies and any future-proofing should require multiple signatures (multi-sig) spread between a reasonable number of separate individuals.
Most DeFi systems have had their smart contracts audited -- but this was not a smart contract exploit. This is a clear demonstration that the entirety of DeFi setups and configuration need to be audited from start to finish. I wonder how many other Defi systems have the same problematic loophole.
Despite promises, Gaur has not updated his post nor posted a new one in the week-plus that has passed. While there has been a lot of promises about a hard folk to recover the EASY tokens, the dollars, DAI and tether are gone. Further, even if the EASY tokens are returned, EASY holders have still lost a lot of value as the price of EASY has dropped substantially.
Worst of all, there has been no talk (that I can find) of preventing this vulnerability in the future.
Personally, I have a decent amount of DeFi. I have it spread out across a number of systems for exactly this reason -- but many of them run through PancakeSwap so, if that has a vulnerability, I do have less diversity and thus more exposure than I would prefer. So, obviously, I want to raise a clamor about this vulnerability and get as many assurances as possible that a similar situation does not exist where I have my crypto.
As for EasyFi, not only was this was an obvious vulnerability just waiting to be exploited -- but the EasyFi personnel were clearly aware of it since Gaur talked about keeping the machine off-line most of the time so that the window of vulnerability was smaller. Indeed, it would be interesting to see if someone could take legal action against Gaur and the team. Clear promises were made despite the fact that they were aware of the vulnerability.
So, do I trust EasyFi?
Not only would that be an emphatic NO!
but I will avoid anything associated with these individuals in the future.
Posted Using LeoFinance Beta
So, it must be asked . . . . Is there any wallet on CubFinance that is capable of causing such a problem if it is hacked?
Fully agree with you, this "MetaMask hack" looks super weird. In their statements, EasyFi devs were indicating it was a target attack, but who knew they had such vulnerability? I may have miss the info, but it seems like an insider job.
I am glad I didn't invest anything in EasyFi (I was considering to do).
Great article as always! It is so much happening in the crypto space so it is hard to be on top of the details of all services. It is therefore important to get access to good evaluations of security and other important aspects. I fully agree that these reviews should cover more than just the smart contracts.