Harvest Finance Hacked for $24 Million, Puts Bounty on Alleged Attacker

Harvest Finance subsequently confirmed the hack, stating that the protocol is “working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools.”

According to the initial tweet, the attacker swapped the stolen crypto for renBTC (rBTC) and used Tornado Cash to mix with other funds. They also returned $2.5 million, the reason for which was not immediately clear.

In response to the breach, investors rushed to get their money out, and so far, appear to have pulled roughly $350 million from Harvest. According to CoinGecko data, the result has been a more than 50% drop in the value of FARM, the platform’s native token.

Such hacks are commonplace in crypto, but the aftermath of the alleged Harvest hack is somewhat unique. In a tweet not long after the incident, Harvest Finance announced that they had enough data to identify the attacker, who is “well-known in the crypto community.”

In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.

We are putting out a 100k bounty for the first person or team to reach out to the attacker

— Harvest (@harvest_finance) October 26, 2020

According to the tweet, Harvest has no interest in taking punitive action against the attacker, writing, “we are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users.”

The hack occurred just a day after DeFi analyst Chris Blec issued a warning about Harvest Finance. Blec’s main allegation was that Harvest administrators hold an admin key that could drain the funds inside the protocol’s smart contracts. Whether or not the admin key played a role in this situation remains unclear, although Harvest referred to the incident as a “flash loan economic attack.”

Neither Blec nor the project’s administrators responded to requests for additional comment. Harvest did, however, indicate that a more detailed explanation would be forthcoming, tweeting, “We will release a post mortem report within the next 16 hours, and work on future risk-mitigation strategies.”