DeFi protocol Harvest Finance exploited, attacker drained $33.8M and then returned $2.5M

Quick Take

  • DeFi protocol Harvest Finance was exploited earlier today. The attacker drained $33.8 million from the protocol and then returned $2.5 million.
  • Harvest Finance said the attacker is “well-known in the crypto community,” but it is “not interested in doxxing” them.

Harvest Finance, a decentralized finance (DeFi) protocol developed by an anonymous team, was exploited Monday early morning UTC time.

The attacker drained $33.8 million from Harvest and then returned $2.5 million to the protocol for reasons unknown, according to a post-martem report published by Harvest after the publication of this story. The previous report estimated the loss at about $24 million. 

Harvest is a yield farming protocol similar to YFI. It collects yields from different lending protocols and optimizes for the maximum gain to return it to depositors. The attacker of Harvest performed an arbitrage attack using a large flash loan.

Flash loans are uncollateralized loans. They enable users to borrow funds instantly from a liquidity pool, provided that the money is returned to the pool within one transaction block. The Harvest attacker "manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times,"