Harvest Finance Exploit Explained, Team Announces Plan Of Action

  • The attacker used a flash loan from Uniswap to fund his arbitrage scheme, profiting a total of $24 million in the end.
  • The Harvest Finance team has announced a $100,000 reward for anyone who is able to convince the attacker to return the funds.

Illustration from Shutterstock

An attacker used an arbitrage trade to exploit a weak point in DeFi protocol Harvest Finance, resulting in the loss of $24 million worth of stablecoins from the project’s liquidity pools, the firm said in a post-mortem of the incident on 26 October.

According to the announcement, the event started on 26 October at 02:53 AM UTC with the attacker deploying a smart contract, which carried out the entire attack. He first obtained $50 million in USDC and $18 million in USDT from a flash loan from Uniswap, and then proceeded with swapping $17 million of his USDT to USDC inside the Y pool on Curve.fi, where the funds of Harvest’s vaults were invested.

With the USDC amount increased in the pool, the attacker then proceeded with depositing almost $50 million worth of USDC in Harvest’s USDC vault at a rate of about 0.97 per share, which was lowered from 0.98 per share by the previous transaction. He then exchanged about $17 million worth of USDC back into USDT, raising the rate back to 0.98 per share, and then withdrew his stake from the pool, netting himself more than $600,000 in profits.

All of this was carried out within the context of a single transaction, with the attacker executing 17 transactions aimed at USDC within 4 minutes. He then repeated the same process for the USDT vault, executing 13 transactions targeting the stablecoin within 3 minutes. Around 03:01 AM UTC, the attacker transferred $13 million worth of USDC and $11 million worth of USDT to his own wallet, and then for some unknown reason, sent Harvest Finance $2.5 million worth of USDC and USDT.

Shortly after the attack, the DeFi protocol tweeted that the person behind the exploit “is well-known in the crypto community”, and that they left a “significant amount of personally identifiable information”. The project noted that it did not wish to doxx the attacker, but still offered a $100,000 bounty to whoever was able to convince the attacker to send back the remaining funds. The team behind the project further said in a statement:

“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”

Now, due to the incident, the DeFi protocol is forced to delay the release of its smart contract improvements, which were scheduled for 27 October. The firm had to also withdraw all its funds from the shared pools, and relocated them to their vaults, where they will remain safe and sound until measures are taken against this kind of an attack. Harvest has also gotten in contact with the developers behind MerkleDistributor, and are now working on a tool to distribute the $2.5 million returned by the attacker to affected users.

The project is also pondering over possible mitigation strategies, that can be used to prevent this from happening in the future. Possible options include implementing a commit-and-reveal mechanism for deposits, which will remove the ability to perform deposits and withdrawals within a single transaction. Such a move, however, could potentially increase the gas cost for depositors. Another option is to tighten the threshold for deposit arbitrage check, which is currently at 3%, though this could be limiting deposits in the case of a “natural impermanent loss effects”.

Related Coverage
Osmosis Suffers $5M Liquidity Pool Exploit
  • Osmosis’ bug allowed users to add liquidity to any of its liquidity pools, and immediately withdraw 150% of their initial investment.
  • The DEX noted that four individuals were responsible for 95% of the stolen funds, and that two have already volunteered to return $2 million.
June 9, 2022, 1:02 PM


Beanstalk Farms Loses $182M Following Exploit
  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
How to Find The Best DeFi Pools For Your Assets
  • Investment opportunities in defi are innumerous, but finding the best hasn’t been an easy task thus far.
  • Yield Samurai is a decentralized finance data aggregator that helps investors find the highest-yielding pools in a few clicks.