An attacker used an arbitrage trade to exploit a weak point in DeFi protocol Harvest Finance, resulting in the loss of $24 million worth of stablecoins from the project’s liquidity pools, the firm said in a post-mortem of the incident on 26 October.
According to the announcement, the event started on 26 October at 02:53 AM UTC with the attacker deploying a smart contract, which carried out the entire attack. He first obtained $50 million in USDC and $18 million in USDT from a flash loan from Uniswap, and then proceeded with swapping $17 million of his USDT to USDC inside the Y pool on Curve.fi, where the funds of Harvest’s vaults were invested.
With the USDC amount increased in the pool, the attacker then proceeded with depositing almost $50 million worth of USDC in Harvest’s USDC vault at a rate of about 0.97 per share, which was lowered from 0.98 per share by the previous transaction. He then exchanged about $17 million worth of USDC back into USDT, raising the rate back to 0.98 per share, and then withdrew his stake from the pool, netting himself more than $600,000 in profits.
All of this was carried out within the context of a single transaction, with the attacker executing 17 transactions aimed at USDC within 4 minutes. He then repeated the same process for the USDT vault, executing 13 transactions targeting the stablecoin within 3 minutes. Around 03:01 AM UTC, the attacker transferred $13 million worth of USDC and $11 million worth of USDT to his own wallet, and then for some unknown reason, sent Harvest Finance $2.5 million worth of USDC and USDT.
Shortly after the attack, the DeFi protocol tweeted that the person behind the exploit “is well-known in the crypto community”, and that they left a “significant amount of personally identifiable information”. The project noted that it did not wish to doxx the attacker, but still offered a $100,000 bounty to whoever was able to convince the attacker to send back the remaining funds. The team behind the project further said in a statement:
“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”
Now, due to the incident, the DeFi protocol is forced to delay the release of its smart contract improvements, which were scheduled for 27 October. The firm had to also withdraw all its funds from the shared pools, and relocated them to their vaults, where they will remain safe and sound until measures are taken against this kind of an attack. Harvest has also gotten in contact with the developers behind MerkleDistributor, and are now working on a tool to distribute the $2.5 million returned by the attacker to affected users.
The project is also pondering over possible mitigation strategies, that can be used to prevent this from happening in the future. Possible options include implementing a commit-and-reveal mechanism for deposits, which will remove the ability to perform deposits and withdrawals within a single transaction. Such a move, however, could potentially increase the gas cost for depositors. Another option is to tighten the threshold for deposit arbitrage check, which is currently at 3%, though this could be limiting deposits in the case of a “natural impermanent loss effects”.