I started my crypto journey answering the basic questions of how this works, why this important and why I should be paying attention. But then I wondered “What could go wrong? How does a crypto protocol get hacked and what happens after?”
Im starting this mini-series to help you discover what I found. Hope you enjoy.
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets or currencies. Do your own due diligence.
The aptly named website Rekt is tracking the hacks, blow-ups and frauds that happen in the DeFi (decentralized finance) space. Apparently, the Spartan Protocol I wrote about last week is only the 6th highest hack so far on their “Rekt Leaderboard”:
Some cryptoassets are the victims of their own faulty code and/or flash loans, like in the case of Spartan Protocol. Others like Meerkat Finance appear to be outright frauds, where the developers left a backdoor open for them to access all the funds, funds were stolen, they publicly called it a hack, and then deleted all their public accounts. This is known in the DeFi industry as a “rug pull” and is far too common.
Thankfully, the Meerkat Finance story ended on a happy note. It ended up being some sort of weird social experiment to show everyone using DeFi how greedy they were becoming:
This is a really strange space where you really need to use extra caution.
#1 on the Rekt leaderboard is a token known as EasyFi, which has another interesting story: the founder left the admin keys to the entire network in a MetaMask wallet on his web browser:
(Ankitt) Gaur wrote that private keys to the network admin MetaMask account had been compromised through his computer, but the EasyFi smart contracts were not exploited.
Well, THANK GOODNESS the smart contracts are still safe!
This token had a single point of failure where a hacker could gain access to all the funds within the network’s treasury. The hacker used the private keys stolen from the MetaMask wallet to break in and reportedly steal around $80M at the time, much higher than Rekt states on their leaderboard.
According to Rekt, what they should have done is use a multi-sig wallet so that no one person could have access to where funds were stored. Or they could have just used a offline hardware wallet instead of having funds in an online wallet. Either way, the hacker effectively gained control of the entire network:
The hacker is now in control of 30% of the total supply, and with little liquidity, there is not much they can do. The founders are also in a tough situation; the EasyFi network has become centralized and controlled by a criminal mind.
After that you would think EasyFi would fade away, the founder and developers who worked on it cast out, everyone would stop buying their tokens and transaction volume and the price would plummet.
But you’d be wrong.
That’s right Kristen Bell! You may not be able to recover any of the stolen funds and lost all integrity and legitimacy, but you can still fork the protocol to create a new token when you get hacked:
Team EasyFi has decided, as communicated earlier, to create a new token contract (EASY V2). EasyFi operates on three blockchain networks namely Polygon, Ethereum, and Binance smart chain so all addresses holding EASY as per the below details shall be credited with the new EASY V2 token accordingly.
After another round of consultations and suggestions from large exchanges, forensic agencies, stakeholders & partners, it has been decided that the #EasyFi token ticker will be changed from $EASY to $EZ after the hard fork.
They also warned their users to stop trading the token, subjecting them to the risk of buying part of the stolen funds (which they won’t convert into the new token):
Please DO NOT BUY/SELL/TRADE EASY on-chain on any DEX/AMM and similar platforms. Users shall be liable for their own loss till the EASY V2 token swap process is completed.
Please DO NOT buy EASY token from contract address:
(I can’t put the address here because Substack won’t allow it)
On the Coinmonks blog, they described how the hard fork went, and somehow the team at EasyFi even managed to mess that up too:
The Hardfork and swap was an absolute mess as well. On April 30th, 2021, just hours before trading was restarted on Binance, EasyFi had to implement another emergency fork last minute due to an error that credited Binance holders the airdrop twice. This means that the current $EZ ERC-20 token being traded is actually an EASY V3 Token. Some holders expressed complaints about not having their $EZ airdrop credited to their Binance accounts, having to undergo a month-long retrieval application process which includes a $60 fee just to retain an airdrop that should have been deposited instantly upon arrival. If current trends continue, these users may coin (sic) may drastically depreciate by the time they receive them.
Seems like that’s exactly what’s been happening since the hack:
But don’t worry, as of Saturday, May 22, EasyFi reported they will have a new audit to make sure nothing like this ever happens again. Audits can help protect your investors from being lead into another hack right?
Well…
Something else happened on Saturday, May 22: another rug pull was reported with the DeFi100 token on the Binance Smart Chain. They were supposed to be an index fund token, representing the entire market cap of the DeFi sector on Binance. This story probably wont end as well as Meerkat, and $32M of funds may never be recovered:
The token was actually audited by Solidity Finance, a smart contract auditing service for DeFi projects. Not that anyone read it:
The owner can pause and unpause transfers of the token at any time; and can exempt addresses from the pause mechanism. The owner can also 'ban' users, disallowing them from moving their tokens.
The owner has the ability to update the Monetary Policy address at any time; as well as some variables used in calculating the rebase.
The owner can pause and unpause rebases at any time.
The owner has the ability to update the D100 token addresses and oracle addresses at any time; as well as some variables used in calculating the rebase & incentive payout for the rebase() caller.
The owner can also withdraw any tokens sent to the Monetary Policy contract by mistake.
Audit Findings Summary:
No issues from outside attackers were identified.
Ensure trust in the project team as they have notable power in the ecosystem.
Date: February 24th, 2021.
Oh well. Looks like they may take over the #6 spot now on the Rekt leaderboard.
Thoughts:
I don’t mean to keep bringing up projects on the Binance Smart Chain, but that seems to be where a lot of the action is at the moment. It’s obvious to me that they not only allow anyone and everyone to create a project on their smart chain but they also have a user base who are willing to buy anything with little to no research into these projects. There is little regulation as it is, and most of the these projects are outside of the US so the SEC/US government has no jurisdiction to go after these hackers or frauds even if they could find them.
“Binance US” only allows 50 cryptos because Binance was afraid of US regulatory backlash due to some of the coins being listed on the full exchange (which pretty much says all you need to know). On the actual Binance exchange, there are over 500 cryptoassets available. I can’t give you a concrete number of how many there are at this moment from the Binance site itself because they wont tell you, but that’s the number from Investopedia that keeps popping up (and no, I’m not going to count them).
For comparison, here are the current listed cryptos on US exchanges (who have between 50-60 available for purchase):
It’s not surprising that with such little oversight a lot of scams and untested projects are being listed on the exchange. And I’ve heard other overseas exchanges are similar. There’s simply too many to keep track.
As I learn more the more I find that the founders are extremely important when investing in the crypto space. Maybe that’s why venture capitalists feel so much more comfortable investing in these. It’s high risk, high reward, and highly dependent on the underlying technology and the founding team. That may be the right way to think about it if you’re looking to make more investments in this space.
Like I said before, these things are super resilient (As long as it wasn’t meant to be a fraud from the start). It also makes me realize how quickly these hacks can occur after the product launches and they start listing on exchanges. After a certain point, it seems as if hacking a crypto protocol becomes much harder as it grows and matures its network effects. But we’ll see.
In the future I plan on discussing what a 51% attack is, why it’s bad for something like a proof-of-work protocol like Bitcoin and how it’s already happened to another popular protocol still trading on most exchanges: Ethereum Classic.
I also plan on discussing the hiccups that other more popular DeFi applications built on the Ethereum blockchain experienced in the past. And how they not only survived the hacks but thrived afterwards.
But no matter what, this is an exciting space to continue watching.
Thanks for reading!
UPDATE:
Apparently there was another hack Rekt looked into from Wednesday, May 19th called “PancakeBunny.” Sparta has fallen to #7 already as I was writing this.
Also, where the hell do they keep getting these weird names from?