Harvest Finance, a decentralized finance (DeFi) protocol developed by an anonymous team, was exploited Monday early morning UTC time.
Harvest is a yield farming protocol similar to YFI. It collects yields from different lending protocols and optimizes for the maximum gain to return it to depositors. The attacker of Harvest performed an arbitrage attack using a large flash loan.
Flash loans are uncollateralized loans. They enable users to borrow funds instantly from a liquidity pool, provided that the money is returned to the pool within one transaction block. The Harvest attacker “manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times,” said Harvest Finance. “The attacker then converted the funds to renBTC and exited to BTC.”
Put simply, the price manipulation on the Curve Y pool allowed the attacker to drain Farm USDT (fUSDT) and Farm USDC (fUSDC) tokens from Harvest. The attacker then converted these tokens to renBTC and finally to bitcoin. RenBTC is a bitcoin-backed token used on the Ethereum network.
Attacker ‘well-known in the crypto community’
Harvest provided some bitcoin addresses of the attacker and said that there is a “significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.”
But Harvest is “not interested in doxxing the attacker.” Instead, it has put a $100,000 bounty for the first person or team to reach out to the attacker.
Harvest has also asked exchanges like Binance, Coinbase, and Huobi to block the attacker’s addresses.
The attack comes just a day after DeFi analyst Chris Blec claimed that Harvest is a centralized protocol as its administrators hold an “admin key that can drain funds.”
On today’s attack, Blec told The Block that an inside job could not be ruled out as “nobody knows the smart contracts better than the anonymous developers.”
“In these situations, a smart DeFi user doesn’t assume that what they hope happened is what happened. The smart DeFi user assumes that the worst thing that could have happened is what happened. Adversarial thinking is the only way to stay safe in this space,” said Blec.
Harvest Finance was launched in August and still has $588 million worth of user deposits locked in its protocol. That amount was over $1 billion just before the attack, according to tracker DeFi Pulse, which was accessible at the time of writing. (It is currently giving a “500 internal server error.”)
The price of Harvest’s native token, FARM, has also plunged by about 57% since the attack, according to CoinGecko. It is currently trading at about $101.
After the publication of this story, Harvest said it would release a post mortem report of the attack “within the next 16 hours.”
© 2020 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.