Several decentralized finance (DeFi) protocols have fallen victim to economic exploits since the start of this year. These have included large-scale attacks on the bZx project, the $25 million exploit on dForce’s lending protocol LendfMe.
The latest DeFi protocol to be a target of malicious hackers is Harvest Finance. At least $24 million of liquidity was lost because of a massive flash loan that allowed the attackers to stretch the price of the stablecoins on the Curve Y pool. The DeFi project is now offering a $100K reward for anyone that effectively reaches out to the hacker involved in the exploit.
$24 Million Stolen
Harvest Finance is a yield farming aggregator that provides liquidity to other DeFi projects. According to a statement released by Harvest Finance on Twitter, the hacker supposedly took advantage of this mechanism to conduct their attack through the Curve Y pool.
“The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.”
In the span of seven minutes, the hackers had stolen $24 million. The attacker then swapped his ill-gotten proceeds to renBTC and exited BTC.
To protect its users, “100% of Stablecoin and BTC curve strategy funds have been withdrawn from the strategy to the vault,” the statement says. Moreover, they have moved to block deposits to the stablecoin and bitcoin vaults.
The attacker sent back $2,478,549.94 (about 10% of the total amount exploited) to the deployer address in the form of USDT and USDC. This amount will be “distributed to the affected depositors pro-rata using a snapshot,” Harvest Finance noted. Nonetheless, this move has aroused suspicion, with some observers in the crypto community suggesting that the hackers involved in the $24 million arbitrage economic exploit are also the developers.
Notably, the price of Harvest Finance’s governance token, FARM, plunged by an eye-popping 55.71% after the news of the hack emerged. The total value locked in the financial protocol has also taken a massive beating, according to DeFi Pulse’s data. From a high of over $1 billion on October 25, this figure has tanked to $572 million at press time.
A $100,000 Bounty
Harvest Finance has subsequently identified ten bitcoin addresses where the stolen funds were sent to. The officials of the DeFi protocol also claim that there is sufficient information to point out the hacker who, apparently, is well-known in the crypto space.
The Harvest Finance team has reacted responsibly to the hack. Besides requesting major crypto exchanges like Binance, Coinbase, Kraken, Huobi Global, and OKEx to blacklist the attacker’s addresses, the platform is also offering a $100,000 bounty to the first person or group that reaches out to the culprit and helps him return all the stolen funds to the ETH deployer address.
The exploit underscores the vulnerability of the DeFi ecosystem. Still, Harvest Finance’s response so far is adequate and inspires optimism regarding the sector’s future despite suffering significant setbacks.