$24 million Harvest Protocol exploit explained

Home » Business » $24 million Harvest Protocol ($FARM) exploit explained

$24 million Harvest Protocol ($FARM) exploit explained

Business

Patrick Thompson

Roughly 24 hours have passed since the DeFi project Harvest Protocol ($FARM) was exploited for over $24 million. Since we first covered the attack, Harvest Protocol has published its “Flashloan Economic Attack Post-Mortem” report.

The details

The attacker used flash loans to manipulate the price of USDT and USDC in curve’s YPool and then deposited the USDC into Harvest to rebuy USDT before withdrawing the USDC from Harvest. 

“The attacker repeatedly exploited the effects of impermanent loss of USDC and USDT inside the Y pool on Curve.fi. They used the manipulated asset value to deposit funds into the Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit. ” said Harvest in their official statement.

The attacker executed this cycle 17 times on the USDC pool and 13 times on the USDT pool for a total of $24 Million–13 million USDC and 11 million in USDT. For unknown reasons, after the attacker completed the exploit, they sent $2.4 million back to the Harvest protocol deployer contract. The attacker went on to sell their USDC and USDT for renBTC and ETH. The attacker laundered their ETH via the Ethereum mixing service tornado.cash and their renBTC to the BTC network. 

The Harvest team says the attacker is currently laundering their BTC through several exchanges including Binance, Kraken, and Huobi.

https://twitter.com/harvest_finance/status/1321115746269802496

The manhunt

The Harvest team wants the DeFi community to help them identify the attacker, who they say is “well-known in the crypto community.” However, the attacker has yet to be identified.

Harvest Protocol ($FARM) Discord

Source: Harvest Protocol Discord channel

To incentivize the search, the Harvest team put up a $400,000 bounty that will go to the “first person or team that helps to return the funds within 36 hours,” after those initial 36 hours, the bounty for returning the funds will drop to $100,000. 

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.