Harvest Finance – a yield farming protocol developed by anonymous developers – was hacked for at least $25M over the weekend.
📖 Post-mortem summary
🔒 Risk mitigation strategy
🫂 Community and emissions updates
👇 ..and more! Check out our Week 9 updateshttps://t.co/dscsrhz3SG
— Harvest Finance (@harvest_finance) October 28, 2020
The hack came less than 48 hours after Harvest crossed $1B in total value locked. As more community participants investigated the news, we soon learned that the attack was performed through the Curve Y Pool. Through the use of flash loans and a series of transactions, the attacker was able to stretch the price of Harvest-deposited stablecoins in Curve out of portion and withdraw more than they had deposited.
Here’s a good break down on the exploit from the CTO of Santiment.
1. Swap 11.4m USDC to USDT -> USDT price up
2. Deposit 60.6m USDT into Vault
3. Exchange 11.4m USDT to USDC -> USDT price down
4. Withdraw 61.1m USDT from Vault -> 0.5m profit
5. Rinse and repeat
— Valentin Mihov (@valentinmihov) October 26, 2020
This entire event took place in a 7 minute period. At the core, the price calculation mechanism that the Harvest team used was the main culprit. Unlike some exploits covered in the past, this one did not involve breaching any existing smart contracts.
The Harvest debacle is really better described as a price oracle manipulation exploit that created an arbitrage opportunity leading to the loss of $25M funds. The use of Chainlink price oracles here could have potentially prevented the exploit entirely as they are aggregates that pull data from multiple sources. Having an aggregate price feed would have eliminated the change in price on Curve as a single point of failure.
Interestingly enough, after successfully draining $25M the hacker decided to send $2.4M back to the Harvest Deployer in the form of USDT and USDC.
Since the news of the exploit, Harvest’s governance token – FARM – tumbled by more than 65% in less than an hour. All around crypto Twitter, influencers and educators are advising their followers to withdraw all funds from Harvest as a precautionary measure.
The Harvest team has released numerous updates and even indicated that they had some idea as to who the attacker is. However, it seems like the current plan is to pressure them into returning the funds rather than simply revealing their identity to the public.
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
We are putting out a 100k bounty for the first person or team to reach out to the attacker
— Harvest Finance (@harvest_finance) October 26, 2020
Keep with Harvest Finance by following their Twitter.