Another day, another DeFi exploit. It was last week that the less than two-month-old Harvest Finance saw its total value locked (TVL) surge to $1.175 billion. And today, it has fallen under $600 million.
This has been the direct result of the exploit in the decentralized finance (DeFi) protocol. The same has been the case for its token FARM that lost over 67% of its value in less than an hour, currently trading at $107.
The reports of the exploit surfaced online early Monday in which about $24 million has been drained from the pools of Harvest Finance. Out of this, $2.47 million has been sent back to the deployer in the form of USD and USDC that will be “distributed to the affected depositors pro-rata.”
The attack comes after last week a DeFi analyst claimed the project's administrators held an “admin key that can drain funds.” In response, the Harvest Finance team said, “No one can spend 1B, it's not useful.”
An Economic Attack
“We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools,” wrote the anonymous team behind the project on Twitter.
The unknown attacker swapped the funds for renBTC, and others have been mixed through Tornado Cash, an Ethereum obfuscation software.
The team further shared that the “economic attack” was made by manipulating the price of the stablecoins on curve y pool, and no other pools are affected. Now, to protect users, the team has “pulled y pool and BTC curve strategy funds to the vault.”
“Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times. The attacker then converted the funds to renBTC and exited to BTC,” that took just 7 minutes end to end, explained the team.
A list of 10 BTC addresses of the flashloan attacker, which has all the hacker’s funds, has been shared by the team, which is asking the cryptocurrency exchanges to blacklist.
The team also shared that they have a “significant amount of personally identifiable information on the attacker.” The hacker is reportedly a well-known figure in the crypto community. But they “aren’t interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users,” the team said.
A 100k bounty has also been announced for the first one to reach out to the attacker.