Harvest Finance is now offering a $100,000 bug bounty for anyone to identify the hacker.
The DeFi sector has been the favorite target of attackers this year. And why wouldn’t it be as the industry is growing by billions of dollars each month, and that’s why it is attracting not only investors but hackers too.
The latest to be targeted by malicious threat actors is the decentralized finance (DeFi) protocol called Harvest Finance.
Harvest Finance was exploited early morning on Monday UTC. The company took to Twitter to explain what happened. The company claim that hackers exploited a DeFi ecosystem vulnerability present in the Curve’s Y pool mechanism and stole approx. $24 million.
Later the attacker returned around $2.5 million to the project for unknown reasons. The entire feat took about 7 minutes only.
It is a yield aggregator protocol like the YFI that collects yields from various lending protocols and offers depositors maximum return after optimizing the funds for the maximum. It provides liquidity for several DeFi pools.
Harvest claims that using a $50m flash loan, the attacker(s) could stretch the Curve Y pool’s stablecoin price via arbitrage manipulation. Exploiting the price manipulation on the Curve Y pool; the attacker drained Farm USDT and Farm USDC tokens from Harvest Finance and converted them to renBTC tokens and later to Bitcoin.
The attackers then used Bitcoin and Stablecoin pools on Harvest Finance itself to obtain a higher amount of stablecoins and providing high-priced coins on Curve.
At the time of the attack, the Curve’s trading volume on USDT and USDC went up from $10 million to $2.7 billion. The price of FARM, Harvest’s native token, also jumped by 57% and it is trading at $101.
Flash loans refer to uncollateralized loans. Users can borrow these funds directly from a liquidity pool on the condition that the money is returned within one transaction block.
Harvest Finance also revealed some of the bitcoin addresses of the hacker. The company stated that the hacker is already known in the crypto community and they have sufficient personally identifiable information available on the attacker, but they don’t intend to dox him.
Bitcoin wallets owned by the hacker:
1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM 1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm 14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg 18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3 1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS 1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa 1CLHhshrusvT4XADWA29R2H4ndsSUamEWn 1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS 1CLHhshrusvT4XADWA29R2H4ndsSUamEWn
However, the company has put a $10,000 bounty for the first individual or team that reaches out to the attacker. They have also asked several exchanges, including Coinbase, Binance, and Huobi to block the hacker’s addresses. Harvest also stated that it would release a post mortem report on the attack within 16 hours.
For the attacker: you've proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar
— Harvest (@harvest_finance) October 26, 2020
The attack has a strong similarity to the Eminence attack during which the hacker stole $15m and sent half of the stolen funds to an address belonging to the project’s lead developer. The difference is that in this incident, the hacker returned 10% of the stolen amount.