Hackers Drain DeFi Protocol Harvest Finance of $24 Million
An economic exploit using flash loans enabled hackers to drain $24 million from DeFi protocol Harvest Finance.
- Hackers obtained USDT and USDC stablecoins worth $24 million from Harvest Finance’s stablecoin and BTC pools.
- Harvest’s governance token FARM plummeted 60% following the revelation of the hack.
- $400 million in total liquidity have been drained out of Harvest Finance as liquidity providers (LPs) flee the platform.
Share this article
A $24 million DeFi hack involving Harvest Finance has exposed the vulnerability of the entire DeFi ecosystem.
Economic Exploit of Harvest Finance
Working as a yield aggregator, Harvest Finance provides liquidity to other DeFi pools to obtain gains for its liquidity providers (LPs). Hackers allegedly leveraged this mechanism in Curve’s Y pool for their attack.
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.
To protect users, we've pulled y pool and btc curve strategy funds to the vault
— Harvest Finance (@harvest_finance) October 26, 2020
Reportedly, arbitrage manipulation using a $50 million flash loan enabled the attackers to stretch the price of the stablecoins on Curve’s Y pool. The hackers then used the stablecoin and BTC pools on Harvest Finance to obtain a greater amount of stablecoins in exchange for the highly-priced tokens on Curve.
In less than seven minutes, the attackers drained $24 million from Harvests’ liquidity.
The total volume of trading on Curve’s USDT and USDC shot from $10 million to over $2.7 billion during the exploit.
The nature of the attack has been discussed in detail in the academic paper by researchers from Imperial College London (ICL). It outlines how to use flash loans to manipulate the price of token pairs and drain liquidity from DeFi pools.
A New DeFi Hack, Every Day
There is a stark similarity between the Harvest Finance hack with a previous $15 million DeFi attack on Eminence in that the attackers returned a portion to the lead developer’s address.
While it was 50% of the amount with Eminence, this time, Harvest hackers sent back 10% of the total hack to the ETH deployer address. This raises suspicions around a signature move by a single entity or a trend adopted by developers.
“The attacker” sent some funds back because they’re such nice people. If this isn’t strong evidence that “the attacker” and “the devs” are the same then I don’t know what is. https://t.co/lNcE2DkcA6
— Riccardo Spagni (@fluffypony) October 26, 2020
As reported earlier, the anonymous developers of Harvest Finance have raised several red flags. The anonymity in DeFi is also adding to the developer’s advantage, who goes untraced and richer in crypto money from the hacks.