Harvest Finance Exploit Explained, Team Announces Plan Of Action

  • The attacker used a flash loan from Uniswap to fund his arbitrage scheme, profiting a total of $24 million in the end.
  • The Harvest Finance team has announced a $100,000 reward for anyone who is able to convince the attacker to return the funds.

Illustration from Shutterstock

An attacker used an arbitrage trade to exploit a weak point in DeFi protocol Harvest Finance, resulting in the loss of $24 million worth of stablecoins from the project’s liquidity pools, the firm said in a post-mortem of the incident on 26 October.

According to the announcement, the event started on 26 October at 02:53 AM UTC with the attacker deploying a smart contract, which carried out the entire attack. He first obtained $50 million in USDC and $18 million in USDT from a flash loan from Uniswap, and then proceeded with swapping $17 million of his USDT to USDC inside the Y pool on Curve.fi, where the funds of Harvest’s vaults were invested.

With the USDC amount increased in the pool, the attacker then proceeded with depositing almost $50 million worth of USDC in Harvest’s USDC vault at a rate of about 0.97 per share, which was lowered from 0.98 per share by the previous transaction. He then exchanged about $17 million worth of USDC back into USDT, raising the rate back to 0.98 per share, and then withdrew his stake from the pool, netting himself more than $600,000 in profits.

All of this was carried out within the context of a single transaction, with the attacker executing 17 transactions aimed at USDC within 4 minutes. He then repeated the same process for the USDT vault, executing 13 transactions targeting the stablecoin within 3 minutes. Around 03:01 AM UTC, the attacker transferred $13 million worth of USDC and $11 million worth of USDT to his own wallet, and then for some unknown reason, sent Harvest Finance $2.5 million worth of USDC and USDT.

Shortly after the attack, the DeFi protocol tweeted that the person behind the exploit “is well-known in the crypto community”, and that they left a “significant amount of personally identifiable information”. The project noted that it did not wish to doxx the attacker, but still offered a $100,000 bounty to whoever was able to convince the attacker to send back the remaining funds. The team behind the project further said in a statement:

“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”

Now, due to the incident, the DeFi protocol is forced to delay the release of its smart contract improvements, which were scheduled for 27 October. The firm had to also withdraw all its funds from the shared pools, and relocated them to their vaults, where they will remain safe and sound until measures are taken against this kind of an attack. Harvest has also gotten in contact with the developers behind MerkleDistributor, and are now working on a tool to distribute the $2.5 million returned by the attacker to affected users.

The project is also pondering over possible mitigation strategies, that can be used to prevent this from happening in the future. Possible options include implementing a commit-and-reveal mechanism for deposits, which will remove the ability to perform deposits and withdrawals within a single transaction. Such a move, however, could potentially increase the gas cost for depositors. Another option is to tighten the threshold for deposit arbitrage check, which is currently at 3%, though this could be limiting deposits in the case of a “natural impermanent loss effects”.

Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM


Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss
  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.