Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 029Private Key Compromise

EasyFi Admin Wallet Compromise

Attackers compromised the CEO's machine, pulled keys from his MetaMask admin wallet, then minted EASY and drained $80M+ from liquidity pools on Polygon.

Date
Victim
EasyFi Network
Chain(s)
PolygonEthereum
Status
Funds Stolen

On April 19, 2021, the Polygon-based lending protocol EasyFi Network lost approximately $81 million when the attacker drained both the project's liquidity pools and a freshly minted batch of EASY tokens from EasyFi's admin wallet.

What happened

EasyFi's protocol-level administrative controls — including minting authority and treasury management — sat behind a single MetaMask admin wallet controlled by founder and CEO Ankitt Gaur.

At roughly 10:40 UTC on April 19, attackers compromised Gaur's physical computer and exfiltrated the private keys to the MetaMask wallet directly from the hard drive. The team initially suspected a MetaMask phishing or browser-extension exploit, but post-mortem analysis confirmed the compromise was at the endpoint level: malware on the CEO's machine read the wallet's encrypted vault, brute-forced the password, and lifted the keys.

With admin access in hand the attacker:

  1. Minted 2.98 million new EASY tokens at the protocol level — value $75M+ at then-market prices.
  2. Drained roughly $6M in stablecoins (USDC, DAI, USDT) directly from EasyFi liquidity pools.
  3. Bridged the proceeds through Ren Bridge into Bitcoin (~123 BTC) and onward to a single laundering address.

Aftermath

  • EasyFi paused the protocol and announced a recovery plan via a token migration to a redesigned contract with multi-sig + timelock administrative controls.
  • The community absorbed real losses; on-chain pursuit of the funds yielded no recoveries.
  • EasyFi never recovered its pre-incident standing among Polygon DeFi protocols.

Why it matters

EasyFi is one of the clearest case studies for why endpoint security for admin keys is the actual security model, not whatever the contract architecture promises. A single laptop with the master MetaMask vault on disk is one piece of malware away from being the whole protocol's compromise. The defensive response — hardware-wallet-only signing for admin paths, multi-sig with geographically distributed signers, timelocked admin actions — was already best practice in 2021 but routinely skipped by early-stage projects who had not yet learned the EasyFi lesson personally.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/markets/2021/04/20/defi-protocol-easyfi-reports-hack-loss-of-over-80m-in-funds
  2. [02]halborn.comhttps://www.halborn.com/blog/post/explained-the-easyfi-hack-april-2021
  3. [03]cryptobriefing.comhttps://cryptobriefing.com/easyfi-hacked-over-80-million-metamask-attack/

Related filings