DeFi – decentralized finance Protocol, Harvest Finance has been exploited by an attacker resulting in the withdrawal of $24 million. The attacker reportedly returned $2.5 Million to the protocol by reasons unknown.
The Harvest Finance is a yield farming protocol that collects yields from different lending protocols and optimizes for the best gain to return to depositors. The protocol was developed by unknown developers in August, 2020. As at the time of the attack on the protocol, it had attracted over $1 billion in locked assets.
According to Harvest Finance, the economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest. It said it had pulled y pool and BTC curve strategy funds to the vault in order to protect users.
Harvest said the attack was an arbitrage economic attack that used a flash loan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times. The attacker thereafter converted the funds to renBTC (a bitcoin backed token on the Ethereum blockchain) and then exited to BTC.
Harvest Finance has revealed the returned 2.5 million dollars to the protocol by the attacker will be distributed to the affected depositors pro-rata using a snapshot.
The attacker is a well known personality in the crypto industry
The Harvest team has revealed that there’s significant information to ascertain who the attacker is.
According to the protocol, “In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.”
It’s also posted a bounty of $100,000 for the first person or team to reach out to the attacker and help return the funds to the deployer address. Harvest said its not interested in doxxing and respect his/her skills but should just return the funds.
and help the attacker return the funds to the deployer address— Harvest Finance (@harvest_finance) October 26, 2020
A Message to the Attacker, More Updates Expected
The project said it will release a post mortem report within the next 16 hours and will work on future risk-mitigation strategies against flash loan economic attacks, including evaluating insurance options as well as reparation strategies.
For the attacker: you've proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar— Harvest Finance (@harvest_finance) October 26, 2020
The protocol sent a message to the attacker, the message was sent via a tweet and it read thus:
“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar”.
The token is currently down at over 50% due to the exploit.
Is the attacker likely to return the funds? Please share your opinion below. As we all await updates from Harvest Protocol.