Harvest Finance Grapples to Make Users Whole After ~$34M Hack

Screen Shot 2020 10 27 at 3.41.25 PM

Harvest Finance, one of the latest DeFi projects to ride on the waning yield farming wave, was exploited over the weekend, shortly after its total value locked crossed the $1B mark. The hacker was able to drain $33.8M worth of stablecoins.

Users can deposit a variety of stablecoins and governance tokens in the Harvest platform in exchange for fTokens, or interest-earning wrappers. Deposits are then sent to popular DeFi protocols like Curve, Uniswap and Balancer to aggregate the highest returns.

Post Mortem

The attacker was able to manipulate the price of USDC and USDT inside the Y pool on Curve.fi, get vault shares (fTokens) for a beneficial price, and exit the Harvest Finance vault at a lower share price generating a profit, according to Harvest’s post mortem.

The anonymous team-led project was able to attract hundreds of millions in digital tokens less than two months after launch as traders chased attractive APYs amid a dwindling number of farming opportunities. But traders have pulled over half of those assets after the hack, leaving Harvest enthusiasts to wonder whether or not the meme-driven project can rebound from a seemingly devastating blow.

Screen Shot 2020 10 27 at 3.43.30 PM
Image source: DeFi Pulse

Harvest Finance TVL has plunged to $415M, while the FARM token is down more than 50% in the past seven days to ~$110.

Admin Keys

Harvest assets climbed in the past two weeks as the platform’s governance token, FARM, ran up from $90 at the start of October to as high as $336 last week.

Amidst the growing focus around Harvest, content creator Chris Blec raised the alarm that the project had control over admin keys with the power to theoretically withdraw users’ funds 

Screen Shot 2020 10 27 at 3.45.02 PM

Flash Loan

Whether by chance or circumstance, less than 48 hours later the hacker started draining the project. They were able to source $50M of USDC with a flash loan on Uniswap to manipulate prices in the USDT-USDC liquidity pool in Curve. They then returned almost $2.5M.

The Harvest team acted quickly to protect the rest of the Vaults, saving the protocol of any additional losses, and it’s trying to identify the hacker’s addresses so that exchanges can stop them from cashing out. It remains to be seen whether exchanges are willing to help in this regard.

Ethics Question

Harvest, which had been audited by PeckShield, is also offering a $100k bounty for whoever can help them get the attacker to return the rest of the funds. The team says it has identified the hacker as a “well-known” member of the crypto community, sending the community on a goose hunt.

 Meanwhile many are left to question the ethics regarding the flash loan attack: Some say this is the case of a trader legitimately taking advantage of an arbitrage opportunity, while others say the hacker exploited the code to provoke an illicit price manipulation, stealing other users’ funds. As the debate rages, Harvest users wait to see whether they’re made whole.

Get smarter on DeFi and Web3

Get the 5-minute free newsletter keeping 60K+ crypto innovators in the loop.

No spam. Unsubscribe anytime.

Trending Now

CelsiusWithdrawalsPaused
Celsius Defies Fear of Implosion as Token Soars 218%
MarketsPump
Crypto Markets Sustain Rally After Monster Rate Hike
UniswapLPFeesPassETH
Uniswap Tops Ethereum in Terms of Daily Fees

Recent Jobs