Trusted

Harvest Finance Releases Attack Postmortem After Losing $24 Million

2 mins
Updated by Kyle Baird
Join our Trading Community on Telegram

In Brief

  • Harvest Finance has released a postmortem from yesterday's arbitrage attack.
  • Almost $34 million in total value was lost.
  • TVL has dumped by $600 million and FARM prices are down 58%.
  • promo

The latest Harvest Finance DeFi incursion has generated overwhelming denigration from crypto pundits on social media. However, it would be more constructive to break the situation down to find out exactly what happened in order to mitigate future attacks.
On Oct 26, the DeFi farming Harvest Finance protocol was drained of at least $24 million in liquidity through a flash loan attack as reported by BeInCrypto at the time. The protocol has taken responsibility for what it called an ‘economic attack’ and ‘engineering error’ and has made a remediation plan for affected users its top priority.
“We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future.”

Harvest Finance Postmortem

In a postmortem blog post, Harvest Finance breaks down the events that led to the draining of millions of dollars of crypto funds from its liquidity pools. The report explained that the attacker exploited arbitrage and impermanent loss features that influenced the value of individual assets inside the Y pool of Curve Finance, where the vault funds resided. Around 18 million USDT and 50 million USDC were sourced from Uniswap and deployed into the attacking contract. The smart contract converted the USDT via a swap inside the Y pool, creating a higher value of USDC inside the pool as the other assets incurred an impermanent loss. Cryptocurrency Hack The attacker also deposited the USDC into Harvest’s USDC vault, receiving a total of 51.4 million fUSDC at 0.97 USDC per share, decreasing the value of the shares by approximately 1%. The USDC was converted back into USDT via the Y pool to obtain the original lower value of USDC due to the reverting of the impermanent loss effect. The DeFi pirate then withdrew from Harvest’s USDC vault trading all fUSDC shares back for a slightly higher share price as the value of USDC inside the Y pool decreased. The USDC was paid entirely by the buffer of the Harvest USDC vault, not interacting with Y pool at all, to net a profit of around 620k in USDC.

Flash Loan Kung Fu

This process was then executed 30 times in seven minutes, netting the attacker a tidy sum of around $24 million in USDT and USDC. The share prices of both stablecoin vaults plummeted, making the overall loss even greater.
“The value lost is about $33.8 million, which corresponded to approximately 3.2% of the total value locked in the protocol at the time before the attack.”
Ethereum DeFi This was a very sophisticated arbitrage attack — it was not a hack and no smart contract code was compromised. Flash loans are not easy to master, a notion that was expanded on in one summary of the events;
“Mastering flash loans is like turning up to a 12th century jousting tournament on a Harley Davidson dual-wielding AK47’s; nobody expects it, plebs get rekt.”
Harvest Finance is working on mitigating future flash loan exploits but the damage has already been done. Around $600 million in total value locked has fled the protocol over the past 24 hours according to DeFi Pulse and FARM tokens have dumped 58% in the same period.
🎄Best crypto platforms in Europe | December 2024
eToro eToro Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
3Commas 3Commas Explore
🎄Best crypto platforms in Europe | December 2024
eToro eToro Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
3Commas 3Commas Explore
🎄Best crypto platforms in Europe | December 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

profile.jpg
Martin Young
Martin Young is a seasoned cryptocurrency journalist and editor with over 7 years of experience covering the latest news and trends in the digital asset space. He is passionate about making complex blockchain, fintech, and macroeconomics concepts understandable for mainstream audiences.   Martin has been featured in top finance, technology, and crypto publications including BeInCrypto, CoinTelegraph, NewsBTC, FX Empire, and Asia Times. His articles provide an in-depth analysis of...
READ FULL BIO
Sponsored
Sponsored