The DeFi ecosystem is still vulnerable to exploits, as hackers allegedly stole $24 million from Harvest Finance and BTC pools.
The DeFi protocol announced that they “are working actively on the issue of mitigating the economic attack”. Harvest finance further explained that the attack was done via exploiting one of the liquidity pools – Curve Y. The attacker of Harvest performed an arbitrage attack using a large flash loan, which manipulated the prices on the pool. The attackers made a $50 million flash loan, which enabled the hacker to stretch prices and exchanged them for the highly-priced tokens on Curve.
The total volume of trading on Curve’s USDT and USDC shot from $10 million to over $2.7 billion during the exploit.
The team at Harvest Finance quickly transferred all funds into the vault, noting that all stablecoins and BTC are in a safe place.
"The attacker then converted the funds to renBTC and exited to BTC,” Harvest Finance added. Harvest Finance reported 10 of the BTC wallet addresses to which the withdrawal was made, asking some of the major exchanges to blacklist the addresses. The Harvest Finance team also noted that they possess personal information about the hacker, and labelled the person as a "well-known in the crypto community".
Source: Twitter
Shortly after the arbitrage attack, Harvest’s governance token – FARM, made a 60% price drop. Also, liquidity providers left the platform, shedding as much as $400 million in total liquidity. Working as a yield aggregator, Harvest Finance provides liquidity to other DeFi pools to obtain gains for its liquidity providers (LPs). The attacker, however, returned a $2,4 million worth of stablecoins back to Harvest Finance’s deployer address. Despite the fact that the hacker returned ten percent of the stolen funds, Harvest is also offering a $100,000 bounty for any information about the hacker.
However, the mechanism of the attack isn’t new for the DeFi ecosystem, as the Eminence protocol was hacked in a very similar way, with the hacker returning a portion of the stolen funds directly to the lead developer’s wallet address.
Meanwhile, DeFi monitoring platform DeFi Pulse also had a shutdown, which coincides with the Harvest Finance’s attack. However, DeFi Pulse still remains silent about the shut down of their platform. Users, who tried to enter the data on DeFi pulse received a “500 Internal Server Error”, and, in some instances, users were banned from accessing the site.