Earlier this week, an economic exploit using flash loans was conducted on decentralized Finance (DeFi) protocol Harvest Finance enabling the attacker to get away with $33.8 million — initially believed to be roughly $24 million. Now, the protocol has increased the bounty to $1 million for information that will lead to them getting the stolen funds back.
Harvest Finance had previously offered a $100,000 bounty on the alleged hacker before increasing it to $400,000 if the return was made within 36 hours.
The hacker used a $50 million flash loan to manipulate the price of USDT and USDC on Curve’s Y pool. The flash loan deflated the price of the stablecoins on Harvest, allowing the hacker to acquire the tokens at a bargain price. This made it possible for the attacker to make a good profit after repaying the flash loan.
The attack led to the price of Harvest’s FARM token crushing over 60%. Additionally, the project’s total value locked in fell from $1 billion to a mere $295 million. As a result, the Harvest Finance team is working on changes to prevent such an attack in the future, such as limiting flash loans which is the vulnerability that the hacker took advantage of.
Notably, Harvest Finance admitted that the hack was as a result of an “engineering error” on their part. The project has, however, not yet formulated a plan to make the affected users whole, but notes that it is “building the infrastructure that can provide the remedy to the affected users.” Meanwhile, Harvest Finance is pleading with the hacker to return the exploited funds so that they can be distributed back to the users.
The DeFi project’s team had hinted that they knew the identity of the hacker who happened to be “well-known in the crypto community” but they didn’t want to doxx them. They offered a $100,000 bounty for anyone that could persuade the attacker to return the funds, and then a $400,000 one. No one has so far been able to track down the attacker and return the stolen funds. For this reason, Harvest Finance has decided to increase the reward.
Moreover, Harvest has also admitted that it does not have any solid proof of who the attacker really is.