Harvest Finance, the Kava blockchain-powered decentralized cross-chain money market faced an arbitrage economic attack. According to Harvest Finance, the attack originated with a large flash loan and led to a $24 million exploit by the hacker. Out of the whopping $24 million, the hacker sent $2.5M back to the deployer.
The Harvest Finance attack manipulated the prices on Curve ypool to drain fUSDT and fUSDC money lego. These funds were immediately converted to WBTC then renBTC and cashed out in real bitcoin.
Fear grips FARM holders
Just 2 hours prior to the attack, Harvest Finance proudly tweeted that the farmers had made an annual profit of $69 million. Additionally, the protocol was generating profit share annual percentage yield (APY) of over 410%. But at the time of press, the panic is sky high and farmers are pulling money out of the protocol.
Better to be safe than sorry – withdraw all of your funds from @harvest_finance if you have any in there!
— Anthony Sassano | sassal.eth ⛽ 🏴 (@sassal0x) October 26, 2020
Could this be an insider job?
DeFi Analyst Chris Blec claims that this could be an insider’s job. A couple of days back Chris warned farmers that the Harvest Finance administrators held a very powerful key. Using this key, the administrators can drain the funds anytime.
They may say it's a hack. They may say it's a thief from the outside.
But with an anonymous dev & a powerful admin key, you *need* to assume the worst.
Get your money out of Harvest Finance right now. https://t.co/Fh4Oik4Zn4
— Chris Blec (@ChrisBlec) October 26, 2020
The rest of the funds are safe
Harvest Finance agrees that the hacker has sent $2,478,549.94 to the deployer in the form of USDT and USDC. According to the official tweet, the admin will distribute this amount to affected depositors on pro-rata bases. At the time of the press, all funds in Curve were withdrawn to the stabilized vault. Additionally, the BTC and stablecoin deposits stand disabled.
Furthermore, Harvest Finance tracked down 10 bitcoin accounts that received the hacked coins. It has requested Binance, Coinbase, Huobi, OKEx, Kraken, FTX, Bitfinex, and Bittrex to blacklist these addresses.
A big bug
A Twitter handle that goes by @pancakebunnyfin claims to have identified an implementation bug and a design mistake. According to the tweets, the bug seems to facilitate deposits of all contracts other than the greylist contracts. Additionally, there is an arbitrage check function in the strategy but the tolerance is not high enough.
0. An unfortunate exploit has occurred in @harvest_finance . I took a look at the code, and there was one implementation bug and another design mistake.$FARM #harvest #exploit #bugs @ChrisBlec @Arthur_0x
— Pancake $Bunny on #BSC (@PancakeBunnyFin) October 26, 2020
Questionable DeFi audit
Harvest Finance is an audited DeFi protocol. The blockchain security and data analytics company PeckShield Inc. conducted the audit. If the bugs and design flaws pointed out by @pancakebunnyfin are accurate, PeckShield might also face the burn.
However, at the time of press PeckShield claims that this is the Harvest protocol design format.
It is by design allowed to deposit into vaults from a contract. Same for YFI yVault as well.
— PeckShield Inc. (@peckshield) October 26, 2020
In the last 4 hours, the FARM token faced a major price dump of over 58%. At the time of the press, the FARM token is trading close to $97.
For the latest crypto-related updates do check out our Altcoin Buzz YouTube channel.