Harvest Finance – a yield farming protocol developed by anonymous developers – was hacked for at least $25M over the weekend.

 

The hack came less than 48 hours after Harvest crossed $1B in total value locked. As more community participants investigated the news, we soon learned that the attack was performed through the Curve Y Pool. Through the use of flash loans and a series of transactions, the attacker was able to stretch the price of Harvest-deposited stablecoins in Curve out of portion and withdraw more than they had deposited.

Here’s a good break down on the exploit from the CTO of Santiment.

 

This entire event took place in a 7 minute period. At the core, the price calculation mechanism that the Harvest team used was the main culprit. Unlike some exploits covered in the past, this one did not involve breaching any existing smart contracts.

The Harvest debacle is really better described as a price oracle manipulation exploit that created an arbitrage opportunity leading to the loss of $25M funds. The use of Chainlink price oracles here could have potentially prevented the exploit entirely as they are aggregates that pull data from multiple sources. Having an aggregate price feed would have eliminated the change in price on Curve as a single point of failure.

Interestingly enough, after successfully draining $25M the hacker decided to send $2.4M back to the Harvest Deployer in the form of USDT and USDC.

What’s Next?

Since the news of the exploit, Harvest’s governance token – FARM – tumbled by more than 65% in less than an hour. All around crypto Twitter, influencers and educators are advising their followers to withdraw all funds from Harvest as a precautionary measure.

The Harvest team has released numerous updates and even indicated that they had some idea as to who the attacker is. However, it seems like the current plan is to pressure them into returning the funds rather than simply revealing their identity to the public.

Keep with Harvest Finance by  following their Twitter.