Harvest Finance has been in the spotlight for quite some time, and not for good reasons. According to the latest reports that emerged in the early hours of Monday morning, the DeFi yield farm protocol has been drained by nearly $24 million from its pools and swapped for renBTC [rBTC].
some info on the developing @harvest_finance exploit 🧐
~$24MM exploited 👉 https://t.co/dYRS8WMxjN
~$2.5MM sent back to deployer 👉 https://t.co/d8A2FvRrzd
hacker cashed out almost all of it via renBTC and tornado in the last ~1 hour 👉 https://t.co/fNmUnUaYP6
h/t @jiecut42 pic.twitter.com/MNbU32qClf
— devops199fan 🔪📜😅 (@devops199fan) October 26, 2020
Confirming the news of the hack, Harvest Finance revealed “working actively” on the issue of mitigating the economic attack on the stablecoin and BTC pools. The hacker reportedly used Tornado Cash, which happens to be a privacy tool for obfuscating the history of Ether.
Following which the hacker[s] reportedly sent back nearly $2.5 million to the deployer in the form of Tether [USDT] and USD Coin [USDC]. These, according to Harvest Finance will be distributed to the affected depositors pro-rata using a snapshot. Besides, the attack was made possible by manipulating stablecoin prices on another DeFi platform, Curve Finance.
The Harvest Finance team joined forces with Ren Protocol to locate Bitcoin addresses where the funds were transferred. Harvest Finance’s representatives had also asked major exchanges to freeze the allegedly stolen funds and block the addresses.
Bounty Hunt
Harvest Protocol further tweeted,
“We will release a post mortem report within the next 16 hours, and work on future risk-mitigation strategies against flashloan economic attacks, including evaluating insurance options, as well as reparation strategies. For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar”
Furthermore, Harvest Finance stated that there was a “significant amount of personally identifiable information on the attacker”, who is “well-known” in the crypto community. Additionally, the platform went on to say that it was putting out a 100k bounty for the first person or team to reach out to the attacker. It further tweeted,
“We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users”
Harvest Finance is yet another DeFi protocol that seeks the highest-earning pools to farm, a concept very similar to Yearn Finance. The latest news comes just a day after popular DeFi analyst Chris Blec claimed that the platform held just one “admin key” that can potentially drain funds locked in the protocol’s contracts.
⚠️Harvest Finance⚠️
• Still over $1 billion
• Still anon team with admin key that can drain funds
• Still unknown security of key
• Still blocking me on Twitter
• Still banning me from DiscordResponse: Trust them cuz $1 billion is "not useful…" and "don't bother us…" pic.twitter.com/N443bnxkE9
— Chris Blec (@ChrisBlec) October 25, 2020