Harvest Finance, one of the latest DeFi projects to ride on the waning yield farming wave, was exploited over the weekend, shortly after its total value locked crossed the $1B mark. The hacker was able to drain $33.8M worth of stablecoins.
Users can deposit a variety of stablecoins and governance tokens in the Harvest platform in exchange for fTokens, or interest-earning wrappers. Deposits are then sent to popular DeFi protocols like Curve, Uniswap and Balancer to aggregate the highest returns.
The attacker was able to manipulate the price of USDC and USDT inside the Y pool on Curve.fi, get vault shares (fTokens) for a beneficial price, and exit the Harvest Finance vault at a lower share price generating a profit, according to Harvest’s post mortem.
The anonymous team-led project was able to attract hundreds of millions in digital tokens less than two months after launch as traders chased attractive APYs amid a dwindling number of farming opportunities. But traders have pulled over half of those assets after the hack, leaving Harvest enthusiasts to wonder whether or not the meme-driven project can rebound from a seemingly devastating blow.
Harvest Finance TVL has plunged to $415M, while the FARM token is down more than 50% in the past seven days to ~$110.
Harvest assets climbed in the past two weeks as the platform’s governance token, FARM, ran up from $90 at the start of October to as high as $336 last week.
Amidst the growing focus around Harvest, content creator Chris Blec raised the alarm that the project had control over admin keys with the power to theoretically withdraw users’ funds
Whether by chance or circumstance, less than 48 hours later the hacker started draining the project. They were able to source $50M of USDC with a flash loan on Uniswap to manipulate prices in the USDT-USDC liquidity pool in Curve. They then returned almost $2.5M.
tl;dr on harvest exploit pic.twitter.com/4CyFEIGPt7
— banteg (@bantg) October 26, 2020
The Harvest team acted quickly to protect the rest of the Vaults, saving the protocol of any additional losses, and it’s trying to identify the hacker’s addresses so that exchanges can stop them from cashing out. It remains to be seen whether exchanges are willing to help in this regard.
Stop fucking up your bullshit DeFi scams and expecting exchanges to bail you out. I will not accept your attempt at externalizing the cost of your hasty, reckless rollout. Invest in audits, insurance and please DYOR. Taking your losses is the only way to enlightenment.
— Jesse Powell (@jespow) October 26, 2020
Harvest, which had been audited by PeckShield, is also offering a $100k bounty for whoever can help them get the attacker to return the rest of the funds. The team says it has identified the hacker as a “well-known” member of the crypto community, sending the community on a goose hunt.
Meanwhile many are left to question the ethics regarding the flash loan attack: Some say this is the case of a trader legitimately taking advantage of an arbitrage opportunity, while others say the hacker exploited the code to provoke an illicit price manipulation, stealing other users’ funds. As the debate rages, Harvest users wait to see whether they’re made whole.
it was hack. it was a crime.
the thief is no longer welcome in ethereum community.
— ????? ?? (@scott_lew_is) October 26, 2020