Hackers Drain DeFi Protocol Harvest Finance of $24 Million

An economic exploit using flash loans enabled hackers to drain $24 million from DeFi protocol Harvest Finance.

Hackers Drain DeFi Protocol Harvest Finance of $24 Million
Shutterstock cover by SkillUp

Key Takeaways

  • Hackers obtained USDT and USDC stablecoins worth $24 million from Harvest Finance’s stablecoin and BTC pools.
  • Harvest’s governance token FARM plummeted 60% following the revelation of the hack.
  • $400 million in total liquidity have been drained out of Harvest Finance as liquidity providers (LPs) flee the platform.

Share this article

A $24 million DeFi hack involving Harvest Finance has exposed the vulnerability of the entire DeFi ecosystem. 

Economic Exploit of Harvest Finance

Working as a yield aggregator, Harvest Finance provides liquidity to other DeFi pools to obtain gains for its liquidity providers (LPs). Hackers allegedly leveraged this mechanism in Curve’s Y pool for their attack.

Reportedly, arbitrage manipulation using a $50 million flash loan enabled the attackers to stretch the price of the stablecoins on Curve’s Y pool. The hackers then used the stablecoin and BTC pools on Harvest Finance to obtain a greater amount of stablecoins in exchange for the highly-priced tokens on Curve. 

In less than seven minutes, the attackers drained $24 million from Harvests’ liquidity. 

The total volume of trading on Curve’s USDT and USDC shot from $10 million to over $2.7 billion during the exploit. 

The nature of the attack has been discussed in detail in the academic paper by researchers from Imperial College London (ICL). It outlines how to use flash loans to manipulate the price of token pairs and drain liquidity from DeFi pools. 

A New DeFi Hack, Every Day 

There is a stark similarity between the Harvest Finance hack with a previous $15 million DeFi attack on Eminence in that the attackers returned a portion to the lead developer’s address. 

While it was 50% of the amount with Eminence, this time, Harvest hackers sent back 10% of the total hack to the ETH deployer address. This raises suspicions around a signature move by a single entity or a trend adopted by developers. 

As reported earlier, the anonymous developers of Harvest Finance have raised several red flags. The anonymity in DeFi is also adding to the developer’s advantage, who goes untraced and richer in crypto money from the hacks. 

Share this article

Loading...