Illustration from Shutterstock
A flash loan exploit allowed an “arbitrageur” to acquire $24 million in USDC and USDT from DeFi platform Harvest Finance’s vaults by devising an elaborate scheme which employed a few other DeFi protocols.
The exploit was first noticed on October 26, after the attacker had already drained $13 million in USDC and $11 million in USDT. A smart contract, probably written and deployed by the arbitrageur, performed several trades within the same transaction using funds generated by a flash loan from Uniswap. The smart contract then manipulated the ratio of the USDC and USDT Y pools on Curve.fi. This lowered the share value of the Harvest Finance vaults. The smart contract then restored the ratio in the Y pools, which increased the share value of the Harvest Finance vaults. On each such trade, about $600,000 in profits were generated. The smart contract was executed numerous times until the aforementioned $24 million were acquired. For whatever reason, the arbitrageur then return about $2.5 million to the Harvest Finance deployed contract.
Since the exploit was identified, Harvest Finance have announced a bounty reward, which is currently $1 million, for anyone who shares information about the attacker’s identity and helps return the funds back to Harvest Finance.
As a result of the attack, the total value locked on the platform has dropped by about $700 million, from $1.04 billion to the current $330 million. The FARM token has also reacted accordingly, losing about 50% of its value.
The team has, since then, held a vote on reparations options. The community overwhelmingly chose the route of an IOU token that will feed a “percentage of profit sharing cashflow and a percentage of weekly emissions to reparations pools”. This will continue until the ~13.5% losses are recovered to users.
Last night, the community chose to go the IOU token route as a way of covering the flash loan exploit losses. 3 hours after the vote had ended, Harvest Finance announced that a new vote will be held which “will center around the Uniswap market for the IOU token (IOU/FARM or IOU/USDC)”.
With 71.93% for, the Harvest Finance team will now have to create an IOU token that will cover the losses caused by the flash loan exploit. No specifics on exactly how the IOU token will work have yet been provided.
After losing close to $100 million on Thursday, Harvest Finance’s total value locked has recovered a bit today. So far, the DeFi platform’s assets have grown by 12.42K ETH, or about $15.85 million.
A little over 12 hours remain until voting on reparations solution ends. Still, most are in favor of an IOU token being created that will redirect a percentage (not yet known) of profit sharing cashflow and of weekly emissions to reparations pools.
72.6% overwhelm the 27.4% in favor of no action in terms of reparations. The vote will continue for about 24 more hours.
The Harvest Finance team just announced that they have increased the bounty reward for giving out information about the attacker and convincing him to return the funds to $1 million.
230 votes have been cast so far on the snapshot page where Harvest Finance is deciding how they will proceed with reparations for the lost funds in the flash loan hack. 70% still in favor of the IOU token solution.
70% of them want an IOU token that will feed a “percentage of profit sharing cashflow and a percentage of weekly emissions to reparations pools”. It will do so until the ~13.5% loss by USDC/USDT depositors, caused by the flash loan exploit, is covered. Only 30% support moving forward with no specific action to cover for the losses.
After reaching yesterday’s low of $86, Harvest Finance’s token has rebound back to about $100. It is keeping stable at that level for the time being.
After a steady day yesterday, losing on about $1 million in total value locked, Harvest Finance’s assets went into free fall, losing close to $100 million, or about 51,000 ETH. They currently sit at $291 million valuation.
Harvest Finance have created a snapshot page so community members can vote on possible reparations options that will cover for the losses caused by the flash loan exploit. Initially, there were three options, but now it’s down to only two – create an IOU token that will pay out a percentage to the reparations pool or don’t do nothing. So far, the former leads 70% to 30%. The vote will be active until October 31 at 3 AM UTC.
The Harvest Finance token has had a rough day. It has dropped below $100 again and continued to drop until about $86. It has recovered since then, currently trading at about $91.
In one of their latest tweets, the Harvest Finance team has presented three possible options for the project moving forward – the first two options include creating a tradeable IOU token that would, respectively for options one and two, feed “a percentage of profit sharing cashflow to reparations pools” or feed “a percentage of weekly emissions to reparations pools”. The last option is to not do anything and proceed with the “existing roadmap”. The community is expected to vote on this for 3 days.
Initially, Harvest Finance offered $100,000 for anyone who was able to convince the attacker to return the funds. As the bounty reward was updated in the latest announcement to $400,000, so were the conditions: “We have put out a $400,000 bounty for anyone who comes forward with the identity of the hacker or information about the hacker. Subsequently, we would need funds to be returned to the deployer address so we can restore lost crops.”
After recovering to $120 yesterday, Harvest Finance’s token has again dropped below the $100 mark. It currently stands at about $91.
The total value locked on Harvest Finance seems to be in free fall as it has lost another $50 million in 2 hours.
After a steady day, total value locked on Harvest Finance has dropped below the $400 million mark. It currently sits at about $370 million.
In their latest announcement, Harvest Finance briefly summarized the flash loan exploit again, but also noted on what’s upcoming for the platform. In the conclusion, they mention that audits by “top tier auditing firms” are on the way as security has become a top priority.
In their latest tweet, the Harvest Finance team announced that they are still trying to identify the person responsible for the flash loan exploit. They also stated that everything is going well for week 9 operation’s start and that restoring the funds to users is “the top priority”.
After Harvest Finance lost $600 million in total value locked since the flash loan exploit was uncovered, the DeFi platform’s assets have leveled off and have remained stable around the $400 million mark, according to DeFi Pulse.
After initially setting the bounty reward at $100,000 for anyone who manages to convince the attacker to return the funds back, something we argued would be ineffective, Harvest Finance have quadrupled the reward.
After briefly dropping below $100, Harvest Finance’s token has recovered to $120 and has been trading around that mark for about 2 hours now.
The TVL on Harvest Finance has been in free fall all day long. It currently sits at around $400 million, but if the trend is not broken in some way, it will keep going down.
After 15 hours of back-and-forth, Harvest Finance’s token has dipped below the three-digit mark once again. It currently stands at about $96.
The attacker flash loaned $50 million in USDC and about $18 million in USDT from Uniswap. They then proceeded to trade about $17 million in USDT to USDC inside the Y pool on Curve.fi. This increased the amount of USDC in the pool. The attacker then deposited close to $50 million in USDC in Harvest’s USDC vault at a rate of about 0.97 per share.
Because of the previous trade, the rate had dropped from 0.98. They then exchanged about $17 million in USDC back to USDT, raising the rate back to about 0.98. They then withdrew their stake in Harvest’s pool with more than $600,000 in profit. The attacker did that multiple times (for USDT as well) until they obtained 13 million USDC and 11 million USDT in profits.
In their latest announcement, Harvest Finance propose several improvements to mitigate future issues. One of them is the implementation of a “commit-and-reveal mechanism for deposits”. It will essentially make performing deposits and withdrawals in a single transaction impossible, making the platform invulnerable to flash loan-based attacks similar to the one it experienced no more than 16 hours ago.
After a sudden collapse of more than 60%, Harvest Finance’s FARM token has stabilized at around $100 – $110, for the time being. It has been so for the past 15 hours.
Here are the 7 Bitcoin addresses where the attacker withdrew the proceeds from the exploit:
1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn
Harvest Finance have released a detailed post-mortem of the exploit, explaining exactly what happened, step by step, announcing the next steps for the platform and possible fixes to prevent similar future scenarios.
Since it became known that the person responsible for the exploit is “well-known in the crypto community”, various requests to reveal them have emerged. In their latest tweet, Harvest Finance state: “We do not have any interest in doxxing the attacker, (or arbitrageur). People should have their privacy.”
Transaction sequence on Etherscan shows how the exploit was successfully executed. Using a flash swap on Uniswap, the attacker took out $50 million in USDC, which they then used to manipulate the price of USDT on Curve Finance, another DeFi platform. This created an opportunity to arbitrage the prices between the two platforms, which the person did multiple times until a total of $24 million was acquired. The funds were then swapped to ETH, then went through WBTC and renBTC, before finally becoming BTC.
The team behind Harvest Finance announce a $100,000 bounty for anyone who manages to convince the attacker to send back the funds.
“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”
Following news of the exploit, investors started withdrawing assets in droves, reminiscent of a bank run. Total value locked on Harvest Finance has dropped from $1 billion to about $650 million.
The anonymous team behind the DeFi platform assures everyone that they are aware of the issue and are working on solutions:
“We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.”
Reports emerge in different tweets that a $24 million exploit has been successfully executed on Harvest Finance. The person responsible use various tools to withdraw the acquired funds, including Tornado Cash. Almost instantly, the price of FARM (the native Harvest Finance token) and assets locked on the platform started going down.