DeFi protocol Harvest Finance exploited, attacker drained $33.8M and then returned $2.5M

Harvest Finance, a decentralized finance (DeFi) protocol developed by an anonymous team, was exploited Monday early morning UTC time.

The attacker drained $33.8 million from Harvest and then returned $2.5 million to the protocol for reasons unknown, according to a post-martem report published by Harvest after the publication of this story. The previous report estimated the loss at about $24 million. 

Harvest is a yield farming protocol similar to YFI. It collects yields from different lending protocols and optimizes for the maximum gain to return it to depositors. The attacker of Harvest performed an arbitrage attack using a large flash loan.

Flash loans are uncollateralized loans. They enable users to borrow funds instantly from a liquidity pool, provided that the money is returned to the pool within one transaction block. The Harvest attacker "manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times," said Harvest Finance. "The attacker then converted the funds to renBTC and exited to BTC."

Put simply, the price manipulation on the Curve Y pool allowed the attacker to drain Farm USDT (fUSDT) and Farm USDC (fUSDC) tokens from Harvest. The attacker then converted these tokens to renBTC and finally to bitcoin. RenBTC is a bitcoin-backed token used on the Ethereum network.

Attacker 'well-known in the crypto community'

Harvest provided some bitcoin addresses of the attacker and said that there is a "significant amount of personally identifiable information on the attacker, who is well-known in the crypto community."

But Harvest is "not interested in doxxing the attacker." Instead, it has put a $100,000 bounty for the first person or team to reach out to the attacker.

Harvest has also asked exchanges like Binance, Coinbase, and Huobi to block the attacker's addresses.

The attack comes just a day after DeFi analyst Chris Blec claimed that Harvest is a centralized protocol as its administrators hold an "admin key that can drain funds."

On today's attack, Blec told The Block that an inside job could not be ruled out as "nobody knows the smart contracts better than the anonymous developers."

"In these situations, a smart DeFi user doesn't assume that what they hope happened is what happened. The smart DeFi user assumes that the worst thing that could have happened is what happened. Adversarial thinking is the only way to stay safe in this space," said Blec.

Harvest Finance was launched in August and still has $588 million worth of user deposits locked in its protocol. That amount was over $1 billion just before the attack, according to tracker DeFi Pulse, which was accessible at the time of writing. (It is currently giving a "500 internal server error.")

The price of Harvest's native token, FARM, has also plunged by about 57% since the attack, according to CoinGecko. It is currently trading at about $101.

The aftermath 

Harvest later released a blog post detailing its response, including possible UX changes to keep a hack like this from happening again.

To start, to protect against flash-loan-based attacks the team is exploring a "commit-and-reveal" mechanism for deposits, which would make it impossible to perform deposits and withdrawals in a single transaction. However, this UX change may incur a higher gas cost for deposits. 

The current arbitrage threshold of 3% wasn't high enough to protect the vault against today's attack, so the team is also proposing a stricter threshold. It's also exploring solutions related to withdrawals in an underlying asset. Both of these solutions would also require a UX change. 

The team took responsibility for the effects of today's hack, requested that the funds be returned and put out a call for help. It's offering a $100,000 bounty for the first person or team that assists in the return of funds. If accomplished in the next 36 hours, the bounty would quadruple to $400,000. It also asked anyone attempting to return the funds not doxx the attacker.

"We made an engineering mistake, we own up to it," said Harvest's statement. "Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety."

This article has been updated with new information from Harvest's post-mortem