defirisk.co
rubric v1.7.0

EasyFi (Easy Network): Admin key theft via compromised machine (malicious MetaMask binary)

EasyFi lost ~$59M when an attacker compromised the founder's dedicated signing machine and used a stolen MetaMask private key to drain protocol funds on Polygon — the first major Layer 2 DeFi hack.

Occurred 2021-04-19 Loss $59M Status closed

Summary #

EasyFi (Easy Network) suffered a Lending / Money Market (Compound fork, Layer 2) on 2021-04-19, resulting in a loss of approximately $59M.

What happened #

EasyFi lost ~$59M when an attacker compromised the founder's dedicated signing machine and used a stolen MetaMask private key to drain protocol funds on Polygon — the first major Layer 2 DeFi hack.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — exploit was off-chain key compromise, not a code flaw. However, the `transfer()` admin function with no timelock was in-scope risk not ...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — exploit was off-chain key compromise, not a code flaw. However, the `transfer()` admin function with no timelock was in-scope risk not ...]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No evidence of bug bounty program at time of hack]
  • RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Single admin key execution of transfer() function with no timelock; this IS the exploit mechanism]
  • RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Single admin key execution of transfer() function with no timelock; this IS the exploit mechanism]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound Finance fork]