Harvest Finance, a decentralized finance (DeFi) project led by an anonymous team, was attacked using a flash loan exploit earlier today leading to millions of dollars worth of FARM tokens stolen by hackers and its prices falling over 60% at press time.
“The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large number of assets through harvest,” explained the Harvest Finance team in a tweet.
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.
To protect users, we’ve pulled y pool and btc curve strategy funds to the vault
— Harvest Finance (@harvest_finance) October 26, 2020
Attackers seemingly exploited the network using a “flash loan” feature — a tool used to lend assets to crypto-traders for zero collateral as long as the entire transaction is included in a single block.
Simply put, by taking out a huge loan, attackers inflated the price of some tokens on Curve Finance (another stablecoin DeFi project) and used it to falsely extract tokens from Harvest. Block explorer data showed the attackers managed to accumulate over $24 million for their effort.
24m in profits. https://t.co/2d05Lfhx8Q pic.twitter.com/N5BkJ8A7hg
— jiecut (@jiecut42) October 26, 2020
Harvest Finance noted that the exploit was similar to other arbitrage economic attacks, the one from this morning originated with a large flash loan, and “manipulated prices on one money lego (curve Y pool) to drain another money lego (fUSDT, fUSDC), many times.”
“The attacker then converted the funds to renBTC and exited to BTC,” the team said in a tweet.
Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end.
Wallet of the attacker exiting through renBTChttps://t.co/O6hqnmtXXC
Source: @devops199fan
— Harvest Finance (@harvest_finance) October 26, 2020
Later on, in an Eminence-esque move, the attackers sent back over $2.4 million to the deployer in the form of USDT and USDC. This amount will be distributed to the affected depositors pro-rata using a snapshot, the Harvest team said in a tweet. However, the move attracted suspicion from some quarters, such as former Monero lead Riccardo Spagni:
“The attacker” sent some funds back because they’re such nice people. If this isn’t strong evidence that “the attacker” and “the devs” are the same then I don’t know what is. https://t.co/lNcE2DkcA6
— Riccardo Spagni (@fluffypony) October 26, 2020
Some like Ex-Messari product head Qiao Wang stated the move was a setback for the anonymous DeFi space:
“Really wanted to see anon/pseudon teams succeed in crypto but so far we still only have BTC and arguably XMR I think. Harvest is a huge setback for anon DeFi.”
Meanwhile, The Block director of research Larry Cermak noted on Twitter that the exploits led to a temporary resurgence of trading volume on decentralized exchange protocol Uniswap. The DEX has suffered in the past few weeks and had its volume trickle down to under $150 million a day — until this morning.
92% of that volume came from USDT/ETH and USDC/ETH pairs. And they generated $5.76 million for LPs in fees. pic.twitter.com/1566htLwfG
— Larry Cermak (@lawmaster) October 26, 2020
The exploit is the latest in a series of DeFi projects that have been attacked or manipulated this year, such as bZx Protocol, Sushiswap, and others.
The post Uniswap volumes bump to $2 billion after attack on DeFi project Harvest Finance appeared first on CryptoSlate.
Leave a Reply