Another day, another DeFi hack; early this morning, Harvest ($FARM) was exploited for over $24 million. The exploit took place just a few hours after DeFi analyst Chris Blec, published a statement that warned of the vulnerabilities in the Harvest protocol.
• Still over $1 billion
• Still anon team with admin key that can drain funds
• Still unknown security of key
• Still blocking me on Twitter
• Still banning me from Discord
Response: Trust them cuz $1 billion is "not useful…" and "don't bother us…" pic.twitter.com/N443bnxkE9
— Chris Blec (@ChrisBlec) October 25, 2020
The attacker was able to exploit Harvest by manipulating stablecoin prices on the contracts that the Harvest protocol interacts with. Once the attacker manipulated the stablecoin prices to the point where they were in their favor, the hacker drained Harvest protocol’s liquidity pools and subsequently converted the stolen funds to renBTC.
Not many technical details are known about the hack at the moment, but the Harvest team has put up a $100,000 bounty that will go to the individual who can identify the hacker and says they will release a post mortem report sometime today.
DeFi has a (few) loopholes
Pre "DeFi" era, smart contracts on Ethereum would get exploited due to lack of code analysis tools and lack of expert auditors.
Now the growing problem is economic attacks that exploit interactions between different smart contracts. ETH's complexity remains a double edged sword.
— Jameson Lopp (@lopp) October 26, 2020
Many DeFi smart contracts rely on external smart contracts which gives hackers multiple attack vectors. When a smart contract must communicate with other smart contracts, it no longer matters if the main smart contract you are interacting with is secure. Attackers, like the individual(s) who exploited Harvest this morning, can manipulate the smart contracts that the main contract communicates with to manipulate prices and subsequently drain the liquidity pool or withdrawal funds.
Many DeFi exploits have taken place this year, and in every instance, a ‘hack” or “breach” never actually occurred. Instead, the attacker had a deep understanding of how the DeFi protocol worked as well as which external smart contracts the main contract communicated with and then used that knowledge to pull all the strings attached to the main contract to make away with millions in stolen funds.
When it comes to DeFi, proceed with caution; most DeFi protocols have no real business model, have not been code-audited, and were only created to make their founding team a few dollars. With such an insecure infrastructure and no real interest in creating a long-lasting business, you should expect more DeFi exploits and rug-pulls to happen in the DeFi space.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.