The Harvest Finance flash loan exploit has been the news of the day. With $24 million in assets obtained by the “arbitrageur”, the DeFi platform finds itself in a crisis. We have explained the technicalities of the exploit and how using different features from a few DeFi platforms enabled the attacker to carry out the scheme. In this op-ed, I will focus on the bounty reward set for convincing the attacker to return the funds.
The team behind Harvest Finance quickly took responsibility for the exploit, saying:
“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”
Despite the team behind the project being anonymous, they still acted responsibly, which is a great sign. And even though the person behind the exploit is “well-known in the crypto community”, Harvest Finance have so far refused to doxx the individual, stating that “people should have their privacy”.
So far, a good example of how a DeFi project should handle a crisis. Moreover, the team has stated that they are actively working on developing a tool with which the funds returned by the attacker (about $2.5 million) will be distributed back to users.
However, things get weird when we look at the bounty reward Harvest Finance announced regarding the attacker. Although they have explicitly limited the reward for the person who successfully convinces the attacker to return the funds, I don’t see how the $100,000 could help anyone achieve this task.
First of all, any person I have told about the bounty has laughed out loud as a reaction, without fail. And you can see why. But let’s take this seriously. How does someone convince anyone of returning $20 million that they have acquired legally? You can’t offer them half the bounty. That’s pocket change to them now. You probably can’t appeal to the person’s empathy for the people whose funds they acquired, considering how they acquired said funds.
Moreover, they have returned $2.5 million (about 10% of the acquired funds), probably considering this fair enough. So empathy is unlikely to work. And depending on the person, threat might or might not work, which is something someone who knows the person might use considering the bounty reward.
But let’s put ourselves in the attacker’s shoes. I just acquired $24 million and returned $2.5 million. As far as I am concerned, I haven’t done anything illegal. I just exploited a few DeFi platforms by stretching the limits they themselves set. In the process, I have pissed a lot of people off. Depending on my character and social situation, I might or might not care.
Furthermore, there is a possibility of me being doxxed, which probably means death threats and destruction of reputation among peers and the crypto community. Again, depending on my character, I might or might not care. But what I certainly do care about is the money.
Liquidating the proceeds will also prove difficult as all major exchanges are aware of the Bitcoin addresses where I hold the profits. But, using Bitcoin ATMs and other, more low-key means, I can liquidate small parts of the profits over a long period of time, not risking the exposure of centralized exchanges.
So, depending on my character, people who I have pissed off might have leverage over me. If they have leverage, then negotiations might be a good option for me. I feel that I have done work, so I don’t want to leave with nothing. If my character is such that I care about all the issues listed above, I will generally consider their economic value. How much more am I prepared to refund in exchange for no bad feelings with all other actors involved? Or better yet, how much do I feel I deserve for identifying a big problem in Harvest Finance, devising a scheme to take advantage of it, writing up the smart contract code, and then going through all the stress that comes with the situation? Hard to tell. $100,000? $1 million? $5 million? That’s where negotiation comes in handy.
My point is this. A $100,000 bounty will not work. No one will convince this person to return the arbitraged funds if they don’t get something back. If Harvest Finance want to see more of the assets restored to their users, they need to get some sort of leverage over the attacker. You don’t parley when you are on the back foot. Thinking that the attacker will empathize with “we humbly request you return the funds” is just naive. The Harvest Finance team needs to create a situation where they have something they can offer the arbitrageur in exchange for refunding more of the proceeds.
I’d say that getting 100% of the funds back will be very difficult, unless somehow it can be proven that the 13 million USDC and 11 million USDT were obtained illegally. But obtaining at least another 20 – 30% of the $20 million in the wallets of the arbitrageur looks feasible, at least at this point.