skip to Main Content
bitcoin
Bitcoin (BTC) $ 98,832.48 0.88%
ethereum
Ethereum (ETH) $ 3,474.00 0.13%
tether
Tether (USDT) $ 1.00 0.04%
xrp
XRP (XRP) $ 2.28 1.17%
bnb
BNB (BNB) $ 703.50 0.90%
solana
Solana (SOL) $ 196.89 1.12%
dogecoin
Dogecoin (DOGE) $ 0.331694 1.44%
usd-coin
USDC (USDC) $ 1.00 0.12%
staked-ether
Lido Staked Ether (STETH) $ 3,470.34 0.09%
cardano
Cardano (ADA) $ 0.91106 2.18%

Harvest Finance: $24M Attack Triggers $570M ‘Bank Run’ in Latest DeFi Exploit

Customers outside the Berlin Stadtbank, waiting to withdraw their savings at the outbreak of World War I, August 1914.
(FPG/Hulton Archive/Getty Images)

Harvest Finance: $24M Attack Triggers $570M ‘Bank Run’ in Latest DeFi Exploit

An arbitrage trade exploiting weak points in decentralized finance (DeFi) protocol Harvest Finance led to some $24 million in stablecoins being siphoned away from the project’s pools on Monday, according to CoinGecko.

According to reports, an attacker used a flash loan – a technique that allows a trader to take on massive leverage without any downside – to manipulate DeFi prices for profit. The exploit sent the platform’s native token, FARM, tumbling by 65% in less than an hour, followed by the project’s total value locked (TVL), which dropped from over $1 billion before the exploit to $430 million as of press time.

screen-shot-2020-10-26-at-9-29-14-am
POOR HARVEST: The total value locked (TVL) in Harvest Finance has dropped by more than half in the 12 hours since the exploit.
(DeFi Pulse)

The funds were eventually swapped for bitcoin (BTC), but not before being swept through Ethereum mixing service Tornado Cash.

Mixing the coins didn’t keep the Harvest Finance team in the dark for long. The person behind the exploit “is well-known in the crypto community” after leaving “a significant amount of personally identifiable information,” according to the project’s Discord. All seven bitcoin wallets holding the attacker’s funds are also known. 

The anonymous developers behind the project do not want to doxx the party but are instead offering a $100,000 bounty for convincing the attacker to send back the funds.

“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders,” the team said via Discord.

Flash loans strike again

The exploit itself was executed by a series of arbitrage trades between DeFi protocols Uniswap, Curve Finance and Harvest Finance, according to Etherscan. The attacker began by taking out a $50 million USDC flash loan from Uniswap. Then they began swapping between USDC and tether (USDT) to cause the two tokens’ prices to swing wildly.

The price of USDT began to drop on Harvest Finance as the attacker swapped tokens back and forth. The attacker then swapped discounted USDT for stablecoins taken out in the flash loan. The attacker performed the act multiple times. Each successful swap was then turned into ether (ETH) then tokenized bitcoin (WBTC and renBTC, in that order) and then finally bitcoin (BTC), according to Zerion.

Interestingly, some $2.5 million was sent back to the Harvest Finance contract. The developer team said the funds would be distributed pro rata to affected users. The token’s price has slightly rebound, down 49% in 24 hours to $126.82, according to CoinGecko.
The exploit joins a grouping of similar flash loan–based arbitrage trades conducted against DeFi applications in 2020. For example, lending platform bZx was the first to be hit by a flash loan exploit in February 2020. 

Loading data ...
Comparison
View chart compare
View table compare
Back To Top