The Harvest Finance Exploit

  • An attacker managed to devise a scheme by which they were able to effectively steal $24 million in crypto assets using arbitrage between multiple DeFi platforms.
  • After the exploit became known, TVL on Harvest Finance rapidly dropped as did the price of its native FARM token.

Illustration from Shutterstock

A flash loan exploit allowed an “arbitrageur” to acquire $24 million in USDC and USDT from DeFi platform Harvest Finance’s vaults by devising an elaborate scheme which employed a few other DeFi protocols.

The exploit was first noticed on October 26, after the attacker had already drained $13 million in USDC and $11 million in USDT. A smart contract, probably written and deployed by the arbitrageur, performed several trades within the same transaction using funds generated by a flash loan from Uniswap. The smart contract then manipulated the ratio of the USDC and USDT Y pools on This lowered the share value of the Harvest Finance vaults. The smart contract then restored the ratio in the Y pools, which increased the share value of the Harvest Finance vaults. On each such trade, about $600,000 in profits were generated. The smart contract was executed numerous times until the aforementioned $24 million were acquired. For whatever reason, the arbitrageur then return about $2.5 million to the Harvest Finance deployed contract.

Since the exploit was identified, Harvest Finance have announced a bounty reward, which is currently $1 million, for anyone who shares information about the attacker’s identity and helps return the funds back to Harvest Finance.

As a result of the attack, the total value locked on the platform has dropped by about $700 million, from $1.04 billion to the current $330 million. The FARM token has also reacted accordingly, losing about 50% of its value.

The team has, since then, held a vote on reparations options. The community overwhelmingly chose the route of an IOU token that will feed a “percentage of profit sharing cashflow and a percentage of weekly emissions to reparations pools”. This will continue until the ~13.5% losses are recovered to users.

As It Happened

    Live coverage has ended.
    October 31, 2020, 3:16 PM
    New Vote On The Way

    Last night, the community chose to go the IOU token route as a way of covering the flash loan exploit losses. 3 hours after the vote had ended, Harvest Finance announced that a new vote will be held which “will center around the Uniswap market for the IOU token (IOU/FARM or IOU/USDC)”.

    October 31, 2020, 3:02 AM
    Reparations Vote Has Ended

    With 71.93% for, the Harvest Finance team will now have to create an IOU token that will cover the losses caused by the flash loan exploit. No specifics on exactly how the IOU token will work have yet been provided.

    October 30, 2020, 8:47 PM
    TVL Grows By $16 Million So Far Today

    After losing close to $100 million on Thursday, Harvest Finance’s total value locked has recovered a bit today. So far, the DeFi platform’s assets have grown by 12.42K ETH, or about $15.85 million.

    October 30, 2020, 2:40 PM
    12 Hours Before End Of Voting, 75% In Favor Of IOU Token

    A little over 12 hours remain until voting on reparations solution ends. Still, most are in favor of an IOU token being created that will redirect a percentage (not yet known) of profit sharing cashflow and of weekly emissions to reparations pools.

    October 30, 2020, 2:43 AM
    265 Votes In, Most Still Favor IOU Token Solution

    72.6% overwhelm the 27.4% in favor of no action in terms of reparations. The vote will continue for about 24 more hours.

    October 29, 2020, 6:36 PM
    Bounty Reward Increased To $1 Million

    The Harvest Finance team just announced that they have increased the bounty reward for giving out information about the attacker and convincing him to return the funds to $1 million.

    October 29, 2020, 5:29 PM
    Votes Rise To 230, Still 70% In Favor Of IOU Token

    230 votes have been cast so far on the snapshot page where Harvest Finance is deciding how they will proceed with reparations for the lost funds in the flash loan hack. 70% still in favor of the IOU token solution.

    October 29, 2020, 2:43 PM
    204 Votes Cast So Far

    70% of them want an IOU token that will feed a “percentage of profit sharing cashflow and a percentage of weekly emissions to reparations pools”. It will do so until the ~13.5% loss by USDC/USDT depositors, caused by the flash loan exploit, is covered. Only 30% support moving forward with no specific action to cover for the losses.

    October 29, 2020, 2:32 PM
    FARM Recovers Above $100, Again

    After reaching yesterday’s low of $86, Harvest Finance’s token has rebound back to about $100. It is keeping stable at that level for the time being.

    October 29, 2020, 2:30 PM
    TVL Drops Below $300 Million

    After a steady day yesterday, losing on about $1 million in total value locked, Harvest Finance’s assets went into free fall, losing close to $100 million, or about 51,000 ETH. They currently sit at $291 million valuation.

    October 29, 2020, 2:26 PM
    Vote On Reparations Plan Is Live

    Harvest Finance have created a snapshot page so community members can vote on possible reparations options that will cover for the losses caused by the flash loan exploit. Initially, there were three options, but now it’s down to only two – create an IOU token that will pay out a percentage to the reparations pool or don’t do nothing. So far, the former leads 70% to 30%. The vote will be active until October 31 at 3 AM UTC.

    October 29, 2020, 2:53 AM
    FARM Reaches New 24 Hour Low

    The Harvest Finance token has had a rough day. It has dropped below $100 again and continued to drop until about $86. It has recovered since then, currently trading at about $91.

    October 29, 2020, 2:49 AM
    Team Proposes Options For Reparations

    In one of their latest tweets, the Harvest Finance team has presented three possible options for the project moving forward – the first two options include creating a tradeable IOU token that would, respectively for options one and two, feed “a percentage of profit sharing cashflow to reparations pools” or feed “a percentage of weekly emissions to reparations pools”. The last option is to not do anything and proceed with the “existing roadmap”. The community is expected to vote on this for 3 days.

    October 28, 2020, 5:21 PM
    Bounty Reward Conditions Have Changed

    Initially, Harvest Finance offered $100,000 for anyone who was able to convince the attacker to return the funds. As the bounty reward was updated in the latest announcement to $400,000, so were the conditions: “We have put out a $400,000 bounty for anyone who comes forward with the identity of the hacker or information about the hacker. Subsequently, we would need funds to be returned to the deployer address so we can restore lost crops.”

    October 28, 2020, 5:18 PM
    FARM Drops To $90

    After recovering to $120 yesterday, Harvest Finance’s token has again dropped below the $100 mark. It currently stands at about $91.

    October 28, 2020, 3:18 PM
    TVL In Free Fall

    The total value locked on Harvest Finance seems to be in free fall as it has lost another $50 million in 2 hours.

    October 28, 2020, 1:14 PM
    TVL Drops Below $400 Million

    After a steady day, total value locked on Harvest Finance has dropped below the $400 million mark. It currently sits at about $370 million.

    October 28, 2020, 2:46 AM
    Top Tier Auditing Firms To Help Secure The Future Of Harvest Finance

    In their latest announcement, Harvest Finance briefly summarized the flash loan exploit again, but also noted on what’s upcoming for the platform. In the conclusion, they mention that audits by “top tier auditing firms” are on the way as security has become a top priority.

    October 27, 2020, 11:37 PM
    “We are actively working on tracking the attacker”

    In their latest tweet, the Harvest Finance team announced that they are still trying to identify the person responsible for the flash loan exploit. They also stated that everything is going well for week 9 operation’s start and that restoring the funds to users is “the top priority”.

    October 27, 2020, 8:52 PM
    TVL Stabilizes Around $400 Million

    After Harvest Finance lost $600 million in total value locked since the flash loan exploit was uncovered, the DeFi platform’s assets have leveled off and have remained stable around the $400 million mark, according to DeFi Pulse.

    October 27, 2020, 5:01 PM
    Arbitrageur Is Liqudating The Assets Using Kraken, Binance, Huobi, Others

    Harvest Finance have created a GitHub repository where people can trace how the funds move around. In their latest tweet, they have announced that the attacker is “money laundering BTC” through Flugsvamp 3.0, wpm_cash,, Treddr, Kraken, Binance, and Huobi.

    October 27, 2020, 4:57 PM
    Bounty Reward Is Now $400,000

    After initially setting the bounty reward at $100,000 for anyone who manages to convince the attacker to return the funds back, something we argued would be ineffective, Harvest Finance have quadrupled the reward.

    October 27, 2020, 2:07 AM
    FARM Rebounds To $120

    After briefly dropping below $100, Harvest Finance’s token has recovered to $120 and has been trading around that mark for about 2 hours now.

    October 27, 2020, 12:40 AM
    Total Value Locked Keeps Going Down, Will Soon Break $400 Million

    The TVL on Harvest Finance has been in free fall all day long. It currently sits at around $400 million, but if the trend is not broken in some way, it will keep going down.

    October 26, 2020, 8:31 PM
    FARM Price Drops Below $100, Again

    After 15 hours of back-and-forth, Harvest Finance’s token has dipped below the three-digit mark once again. It currently stands at about $96.

    October 26, 2020, 8:27 PM
    Brief Explanation Of The Exploit

    The attacker flash loaned $50 million in USDC and about $18 million in USDT from Uniswap. They then proceeded to trade about $17 million in USDT to USDC inside the Y pool on This increased the amount of USDC in the pool. The attacker then deposited close to $50 million in USDC in Harvest’s USDC vault at a rate of about 0.97 per share.

    Because of the previous trade, the rate had dropped from 0.98. They then exchanged about $17 million in USDC back to USDT, raising the rate back to about 0.98. They then withdrew their stake in Harvest’s pool with more than $600,000 in profit. The attacker did that multiple times (for USDT as well) until they obtained 13 million USDC and 11 million USDT in profits.

    October 26, 2020, 8:01 PM
    Proposition To Make Flash Loan-Based Attacks “Infeasible”

    In their latest announcement, Harvest Finance propose several improvements to mitigate future issues. One of them is the implementation of a “commit-and-reveal mechanism for deposits”. It will essentially make performing deposits and withdrawals in a single transaction impossible, making the platform invulnerable to flash loan-based attacks similar to the one it experienced no more than 16 hours ago.

    October 26, 2020, 7:48 PM
    FARM Price Lingers Around $100

    After a sudden collapse of more than 60%, Harvest Finance’s FARM token has stabilized at around $100 – $110, for the time being. It has been so for the past 15 hours.

    October 26, 2020, 7:38 PM
    The Bitcoin Addresses Of The Attacker

    Here are the 7 Bitcoin addresses where the attacker withdrew the proceeds from the exploit:


    October 26, 2020, 7:26 PM
    Attack Post-Mortem Is Released

    Harvest Finance have released a detailed post-mortem of the exploit, explaining exactly what happened, step by step, announcing the next steps for the platform and possible fixes to prevent similar future scenarios.

    October 26, 2020, 6:58 PM
    Harvest Finance Announce They Do Not Want To Dox The “Arbitrageur”

    Since it became known that the person responsible for the exploit is “well-known in the crypto community”, various requests to reveal them have emerged. In their latest tweet, Harvest Finance state: “We do not have any interest in doxxing the attacker, (or arbitrageur). People should have their privacy.”

    October 26, 2020, 11:58 AM
    Detailed Explanation Of The Exploit Emerges

    Transaction sequence on Etherscan shows how the exploit was successfully executed. Using a flash swap on Uniswap, the attacker took out $50 million in USDC, which they then used to manipulate the price of USDT on Curve Finance, another DeFi platform. This created an opportunity to arbitrage the prices between the two platforms, which the person did multiple times until a total of $24 million was acquired. The funds were then swapped to ETH, then went through WBTC and renBTC, before finally becoming BTC.

    October 26, 2020, 10:03 AM
    $100,000 Bounty Is Announced

    The team behind Harvest Finance announce a $100,000 bounty for anyone who manages to convince the attacker to send back the funds.

    “For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”

    October 26, 2020, 5:00 AM
    TVL Drops By More Than $300 Million

    Following news of the exploit, investors started withdrawing assets in droves, reminiscent of a bank run. Total value locked on Harvest Finance has dropped from $1 billion to about $650 million.

    October 26, 2020, 4:37 AM
    Harvest Finance Team Responds

    The anonymous team behind the DeFi platform assures everyone that they are aware of the issue and are working on solutions:

    “We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.”

    October 26, 2020, 3:49 AM
    The Exploit Is Identified

    Reports emerge in different tweets that a $24 million exploit has been successfully executed on Harvest Finance. The person responsible use various tools to withdraw the acquired funds, including Tornado Cash. Almost instantly, the price of FARM (the native Harvest Finance token) and assets locked on the platform started going down.

    Loading comments...
    Related Coverage
    Sam Bankman-Fried Found Guilty on All Charges
    • The New York Jurors took 4 fours of deliberating before pronouncing the former FTX CEO guilty of all seven charges of fraud and conspiracy to commit fraud.
    • Bankman-Fried will now have to appear in court on 28 March, 2024, where he will face a potential maximum sentence of 115 years in prison.
    November 3, 2023, 8:54 AM

    Former CEO of FTX Sam Bankman-Fried leaves the Federal Court in New York after pleading not guilty, 3 January, 2022.
    lev radin/Shutterstock

    Unibot to Compensate Users Affected by Exploit
    • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
    • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
    DoJ Requests SBF’s Expert Witnesses be Barred From Testifying
    • The U.S. Department of Justice has expressed its concerns over Sam Bankman-Fried’s seven expert witnesses, and requested they be barred from testifying on the case.
    • The DoJ claimed most of the proposed experts lacked the necessary foundation for their opinions, making them unqualified to be an expert witness.