On October 26, Harvest Finance, a project with a total volume locked (TVL) of more than $1 billion, was attacked by anonymous hackers. So far, the attack has caused about $24 million in losses, with many holders claiming to have lost more than 15% of their funds. Affected by this news, $FARM, the native token of Harvest, tumbled by 65% in less than an hour, according to CoinGecko.
Influencers in DeFi suggested that users withdraw their money first to make sure it’s safe. In addition, Harvest has advised users to stop depositing in the Stablecoin pool and the BTC pool.
At the time of writing, the volume locked in Harvest contract has fallen to $599M, down by 46.42% compared to 24 hours earlier.
The hack came a day after DeFi watcher Chris Blec revealed the huge risks involved in the Harvest project: the more than $1 billion funds in contracts were entirely controlled by anonymous developers. It is suspected that the development team has been deliberately hiding this fact.
Ma Haobo, founder and CEO of aelf, expressed his own speculation on this matter: the first thing you need to know is that P2P (peer-to-peer) can borrow a lot of money without collaterals. No matter how little slippages there are in AMM, they always exist. Moreover, although the slippage of the Curve’s graph between the two tokens is relatively low, there will still be uncontrollable events in extreme cases.
Ma Haobo speculated that the hackers may have borrowed a large amount of money using P2P, and then pushed Curve’s price to outrageous levels. After that, they went to Harvest for unilateral depositing at a risk price (deposit in the case of losing money). Then they used Curve to redeem the money. In this way, Harvest lost money, and hackers profited. Curve’s price also fluctuated because of this operation. Curve’s loss is actually the same as Uniswap’s LP loss, which is impermanent loss, while the price will quickly recover.
How did hackers hack Harvest?
Like other P2P attacks, the hackers were quick to attack end-to-end for 7 minutes without giving the platform time to react.
1. Hackers borrowed $50 million from Uniswap’s USDT-ETH LP contract.
2. Hackers swapped 11,407,812 USDT for 11,425,651 USDC in the contract. The swapping price of Curve was changed by buying a lot of USDT, for example, 1 USDT = 1.00000X USDC to 11,445,785.907417 / 11,437,077.011569 = 1.000761468 USDC
3. Under the fUSDT contract, hackers staked 60,666,288.631146 USDT to obtain 71,668,595.794204 fUSDT as the proof of token holdings, deposited into Harvest, which automatically provides liquidity to Curve.
4. Hackers exchanged 11,437,077.011569 USDT for 11,445,785.907417 USDC in the Curve contract. The previous operation made the price of Curve change to 1 USDT = 1.00076146168 usdc, and then hackers started to exchange a small amount of USDT for more USDC
5. Hackers redeemed 61093558.168153 USDT from 71668595.794204 of the fUSDT contract obtained through step 3. This step shows that the hackers have successfully carried out an arbitrage and obtained 61093558.168153 USDT - 60,666,288.631146 USDT = 427269.537007 USDT
When we looked at where the profit was coming from, it was clear that Harvest was adding liquidity in the wrong direction to Curve. That is, Curve’s original LP suffered no losses, and the hackers earned profits by losing 60,666,288.631146 USDT.
Repeat step 2–5
6. Hackers swap 11,425,651.360209USDC for 11,407,840.0888 USDT in the Curve contract
7. Hackers mortgaged 61,064,321.245384 USDT in the fUSDT contract to obtain the proof of holding 72,458,553.719987 fUSDT
8. Hackers exchanged 11,437,077.011569 USDT for 11,445,757.818914 USDC in the Curve contract
9. Hackers redeemed 61,489,849.847749 USDT from 72,458,553.719987 fUSDT obtained by hackers in step 7 of the fUSDT contract
Repeat steps 2–5
10. Hackers exchanged 11,425,651.360209 USDC for 11,407,868.045888 USDT in the Curve contract
11. Hackers mortgaged 61,460,640.882068 USDT in the fUSDT contract to obtain the proof of holding 73,252,241.779134 fUSDT
12. Hackers exchanged 11,437,077.011569 USDT for 11,445,729.800332 USDC in the Curve contract
13. Hackers redeemed 61,884,410.538009 USDT from 73,252,241.779134 fUSDT obtained through step 11 of the fUSDT contract
14. Hackers returned Uniswap usdt-eth LP contract 50,165,496.489468 USDT
The attack was focused on the fToken (fUSDC、fUSDT…) of Harvest Finance, which mints Token using quotes in the Curve y pool (even using the Curve as a feed source). This allowed the attackers to control the amount of fToken minted in Harvest Finance by manipulating the Oracle’s price through large exchanges, thus making profits for the attackers.
Most of the security incidents in the blockchain sector are caused by loopholes in the source code that are exploited by hackers. The smart contract is protected by the blockchain itself, so the smart contract code can be open sourced and accessible to all. However, the openness of the code makes it easy for hackers to discover the defects of the code, and further use the code defect trigger conditions to change the execution result of the smart contract, which poses huge economic risks to blockchain projects. Therefore, for smart contract code to be open sourced requires 100% reliability and accuracy of the code.
Therefore, all open-source projects should give the highest priority to network security and strive to provide users with a safe, high-performance, good experience, reliable blockchain infrastructure.
— Join the Community:
· Read weekly articles on the aelf blog
· Catch up with the develop progress on Github
· Instagram: aelfblockchain
· YouTube Channel: aelf
For more information, visit aelf.io