DeFi project Harvest Finance loses $24 million to hackers

By: Ali Raza
Ali Raza
Ali plays a key role in the cryptocurrency news team. He loves travelling during his spare time and enjoys playing cricket,… read more.
on Oct 26, 2020
  • Another DeFi project was recently hacked using a well-known vulnerability of the entire DeFi sector.
  • This time, the attacker(s) managed to steal $24 million from a project called Harvest Finance.
  • Similarly to an attack on Eminence, the attacker(s) returned a portion of the funds, although only 10%.

By now, everyone knows that the DeFi sector has been the center of the attention of the crypto industry in 2020. The sector has grown by billions and billions of dollars in only a few months. However, just like it started attracting new users and investors, as well as their money — it also started attracting hackers interested in stealing that money.

This is exactly what happened to a DeFi protocol known as Harvest Finance.

What happened?

Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.

According to new information, someone managed to hack the project by exploiting a vulnerability of the entire DeFi ecosystem. The flaw allowed them to steal as much as $24 million from Harvest Finance, a yield aggregator to provides liquidity to a number of other DeFi pools.

From what the project shared on Twitter, hackers seemingly managed to leverage the project’s mechanism in Curve’s Y pool, and conduct an attack.

Allegedly, hackers were able to stretch the price of the Curve Y pool’s stablecoins through arbitrage manipulation, using a $50 million flash loan. After that, they used Bitcoin and stablecoin pools on Harvest Finance itself to get an even greater amount of stablecoins, while providing highly-priced coins on Curve.

The whole attack took only around seven minutes, and during that time, the attackers managed to walk away with $24 million.

The volume of trading on USDT and USDC on Curve went up from $10 million to above $2.7 billion at the time of the attack.

Another attack using a well-known method

This is also not a new method, as the attack itself and its nature were already discussed at length in an Imperial College London’s academic paper. The paper explains exactly how flash loans could be used for manipulating token pairs’ prices, which would lead to a liquidity drain.

This attack is also extremely similar to the one that hit Eminence, during which a hacker managed to steal $15 million. As many may remember, this incident came with an interesting twist, as the attacker ended up sending half of the stolen money to an address belonging to the project’s lead developer.

The same happened this time, although the attackers did not send half of the money back, but only 10% of what they stole. While some believe that this might be the attackers’ signature move, others consider it a new trend that developers might be adopting.

Invest in crypto, stocks, ETFs & more in minutes with our preferred broker, eToro
67% of retail CFD accounts lose money