Hackers Drained Harvest Finance DeFi Protocol Out Of $24 Million

Hackers drained Harvest Finance, the Defi protocol out of $24 million exploiting flash loans and obtaining USDT and USDC stablecoins from the pools of the project. In today’s cryptocurrency news, we are reading more about the attack.

The hackers drained Harvest Finance by obtaining USDT and USDC stablecoins worth $24 million while the governance token FARM crashed by 60% after the revelation of the hack. $400 million in total liquidity were drained out of the Defi project by getting a vulnerability exposed of the entire Defi ecosystem. Working as a yield aggregator, Harvest Finance provides liquidity to other DeFi pools in order to obtain gains for the liquidity providers. Hackers leveraged this mechanism in Curve’s y Pool for their attack. The arbitrage manipulation using a $50 million flash loan enabled the attackers to stretch the price of the stablecoins on the Curve’s Y pool. The hackers used the stablecoin and BTC pools on Harvest Finance to obtain bigger amount of stablecoins in exchange for the higher-priced Curve tokens.

We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime as soon as additional details are available

— Harvest Finance (@harvest_finance) October 26, 2020

In less than seven minutes, the attackers drained $24 million from the liquidity of Harvest Finance. The total volume of trading on Curve’s USDT and USDC shot from $10 million to more than $2.7 billion during the exploit. The nature of the attack was discussed in the academic paper by researchers from the Imperial College London which outlines how to use flash loans to manipulate the price of the token and drain liquidity from Defi pools.

“The attacker” sent some funds back because they’re such nice people. If this isn’t strong evidence that “the attacker” and “the devs” are the same then I don’t know what is. https://t.co/lNcE2DkcA6

— Riccardo Spagni (@fluffypony) October 26, 2020

There is a stark similarity between the Harvest Finance hack with the previous $15 million Defi attack on Eminence in that the attackers returned a piece of the stolen funds to the lead developers’ addresses. While it was 50% of the amount with Eminence, the Harvest hackers sent back 10% of the total hack to the ETH deployer address. this raised a lot of suspicion around the signature move by the entity or a trend adopted by developers.

As reported previously, the anonymous developer of the Harvest Finance Defi protocol, raised several red flags. The anonymity in DeFi is also adding to the developers’ advantage which goes untraced and much richer in crypto money from the hack attack. As previously reported, Harvest Finance increased the DeFi ranks acquiring more than $1 billion in total value locked which happened despite the warning signals in the audit reports. Harvest Finance is a Defi yield aggregator that is similar to yEarn finance and Rari Capital and these aggregators implement investment strategies on the projects to gain maximum yields. Harvest also comes with FARM governance tokens which receive cashflow from the platform’s revenue. This revenue is set at 30% of the profit.