Another decentralized finance (DeFi) project, Harvest Finance, has suffered a flashloan attack that lasted for seven minutes, with reportedly at least USD 24m exploited.
The DeFi side of the Cryptoverse has been on high alert in the last six hours, with many calling for people to withdraw funds from Harvest Finance, as the news started spreading that upwards of USD 24m has been taken from the project’s pools.
24m in profits. https://t.co/2d05Lfhx8Q pic.twitter.com/N5BkJ8A7hg
— jiecut (@jiecut42) October 26, 2020
The team behind the Harvest Finance (FARM) project confirmed the attack several hours ago, stating that "the economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest."
Per this Twitter thread, the team is working on "mitigating the economic attack on the Stablecoin and BTC pools," with the funds from both withdrawn to the vault, not deployed in a strategy, adding that no other pools have been affected. They added that they disabled deposits for stablecoin and bitcoin (BTC).
The attacker has returned USD 2.48m of the stolen funds to the deployer, said the thread, in tether (USDT) and USD coin (USDC). "This will be distributed to the affected depositors pro-rata using a snapshot," said the team.
As to how the attack was performed, per these initial reports it seems to be similar to the other flashloan attacks we previously reported on.
Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times.
The attacker then converted the funds to renBTC and exited to BTC
— Harvest Finance (@harvest_finance) October 26, 2020
According to the team, there was no time to respond, with the attack being performed "in 7 minutes end to end." They provided the wallet of this attacker making their exit though renBTC, as well as their BTC addresses.
Meanwhile, FARM’s price crashed nearly 52% in the past 24 hours, reaching USD 114 (09:10 UTC).
Furthermore, until today, Harvest Finance had over USD 1bn in total valued locked, as shown by DeFi Pulse. On October 26, until the time of writing, this TVL dropped over 45% to the current USD 572.5m.
And though the team has many supporters, there have been complaints by a number of people that they have been "proactively kicking users from discord for asking questions." Others are discussing if this could be an inside job. Researcher and analyst, Chris Blec, who recently argued that Harvest Finance’s deposits are protected by one key, held by an anonymous individual, which can drain all funds, offered another, related theory.
Theoretical inside job psyop:
Send most hacked funds to a new account, but "return" a small amount back into team's public account so that they can offer a gesture of good faith to users.
Users will think that team is honest since they're not running off w/ "returned" funds.
— Chris Blec (@ChrisBlec) October 26, 2020
Meanwhile, others, such as ‘PancakeBunnyFin’, have been reporting on an alleged implementation bug and a design mistake in the project’s code.
The team added that a post mortem would be released tomorrow. Furthermore, they said that the attacker is "well-known in the crypto community" based on the information they’ve gathered, and that they are not interested in doxxing this person. "You’ve proven your point," they wrote for the attacker, "if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar."
Cryptonews.com has contacted Harvest Finance for comment.