The DeFi project Harvest Finance loses 24 million dollars through hackers.


Another DeFi project was recently hacked, exploiting a known vulnerability of the entire DeFi sector.
This time the attacker(s) managed to steal 24 million dollars from a project called Harvest Finance.
Similar to an attack on Eminence, the attacker(s) returned part of the money, albeit only 10%.

By now everyone knows that in 2020 the DeFi sector was the focus of attention of the crypto industry. The sector has grown by billions and billions of dollars in just a few months. But just as it began to attract new users and investors and their money, it also began to attract hackers interested in stealing that money.

This is exactly what happened with a DeFi protocol known as Harvest Finance.

What happened?

According to new information, someone managed to hack the project by exploiting a vulnerability in the entire DeFi ecosystem. The bug allowed them to steal up to $24 million from Harvest Finance, a revenue aggregator that provides liquidity to a number of other DeFi pools.

From what the project shared on Twitter, hackers apparently managed to use the project’s mechanism in Curve’s Y-pool to launch an attack.

The economic attack was carried out through the Curve Y-pool, with the price of the Stablecoins in Curve rising disproportionately and a large amount of assets being deposited and withdrawn as a result of the harvest.

To protect the users, we drew funds from the Y-Pool and the BTC Curve strategy into the vault – Harvest Finance (@harvest_finance) October 26, 2020

Allegedly, hackers were able to stretch the price of the Stablecoins of the Curve Y pool through arbitrage manipulation, using a flash credit of $50 million. They then used Bitcoin and Stablecoin pools on Harvest Finance itself to obtain an even greater amount of Stablecoins while providing high-priced coins on Curve.

The entire attack lasted only about seven minutes, and during that time the attackers managed to get away with $24 million.

The trading volume of USDT and USDC on Curve increased from $10 million to over $2.7 billion at the time of the attack.

Another attack using a known method

This is not a new method either, since the attack itself and its nature have already been discussed in detail in a scientific paper of the Imperial College London. The paper explains in detail how lightning bonds could be used to manipulate the prices of pairs of coins, which would lead to an outflow of liquidity.

This attack is also very similar to the attack on Eminence, in which a hacker succeeded in stealing $15 million. As many may remember, this incident came with an interesting twist, as the attacker eventually sent half of the stolen money to an address that belonged to the project’s main developer.

The same happened this time, although the attackers did not send back half of the money, but only 10% of what they had stolen. While some believe that this may be the attackers’ handwriting, others think it is a new trend that the developers may be adopting.

“The attacker” sent back some money because they are such nice people. If this isn’t strong evidence that “the attacker” and “the developers” are the same, I don’t know what is.– Riccardo Spagni (@fluffypony) October 26, 2020.


Leave A Reply