EasyFi, a Compound Finance fork launched directly on the Polygon Layer 2 Network, suffered a major hack on Monday, losing over $60M of the project’s EASY tokens and also $6M of users’ provided liquidity.
The hacker gained access to the project’s admin key, which allows developers to make changes to their protocol. The attack is the latest in a series of exploits to DeFi protocols and highlights yet another potential security flaw users should take into account when depositing their funds.
Admin Key Access
In a “pre-post mortem” EasyFi co-founder Ankitt Gaur said the hacker gained access to the computer which held the admin key remotely and transferred 2.89M of EASY tokens to their Ethereum wallet where they have been swapping the tokens primarily for the USDC stablecoin.
Admin keys are broadly used across DeFi because they allow developers to make updates to the protocols they’re building, but they leave open an Achilles’ heel from a security standpoint. The security practices of teams vary broadly, from multiple machines used specifically to generate the key, to simply writing down the key generated by a wallet generator.
Going by EASY’s price at the time the protocol announced the hack on Twitter, ~$20.5 the attack was worth $61M, though the token’s price had dropped throughout the previous 24 hours, likely because the hacker began selling before the news became public.
The hacker also managed to siphon off $6M of users’ liquidity in the protocol.
“It’s time for DeFi teams to start taking admin key opsec seriously, and this should start on Day 1 of the project,” Chris Blec, a DeFi researcher, told The Defiant. “The best time to ensure strong security is *before* any users have deposited funds.”
Blec pointed towards Lido Finance, a liquid staking solution for Ethereum and Terra, as an exemplary way to generate an admin key. The project had 11 of the most trusted names in DeFi generate their admin key, making the protocol difficult to compromise.
In order to make a protocol entirely trustless, a project must essentially lock the door and throw away the key as Tornado Cash, the Ethereum privacy platform, did last May. But not all teams will be ready to give up control as they will need to continue developing their product. In that case admin key and security best practices should be followed.
EasyFi’s official postmortem is yet to come as are any announcements of compensation for the affected users though the team said on Twitter that both will be released soon.