Week 9 Update: Restoring Funds and Immediate Next Steps to Mitigate Hacks
🔒 Safety and security are the two most important pillars we have at Harvest Finance. While we were looking forward to pushing updates that would make the yield farming experience easier and more enjoyable, including prepared updates that would have moved out of Curve’s Y Pool, our main focus in Week 9 is to restore funds from the hacker and to mitigate any flashloan attacks that can affect users.
🔎 In light of the hacker’s exploit, this Week’s Update will not be about new strategies we could deploy or the UI updates that would streamline deposits or withdrawals. Instead it is to share the facts about what we know so far, about the hacker, where the funds are currently, and how to actively do right by the community. We have put out a $400,000 bounty for anyone who comes forward with the identity of the hacker or information about the hacker. Subsequently, we would need funds to be returned to the deployer address so we can restore lost crops.
🔏 We would like to iterate that we are not trying to doxx anyone and have no interest in doing so. We humbly request that the attacker return the proceeds of the economic attack. The main priority is the restoration of funds for the thousands of affected users.
What We Know
We have written an extensive Post-Mortem about the Flashloan Economic Attack. It provides a technical overview of the attack, the affected pools, as well as a complete timeline of the attack.
The attacker exploited the effect of impermanent loss of USDC and USDT inside the Y Pool on Curve.fi. They used the manipulated asset value to deposit funds into Harvest vaults and obtain vault shares for a beneficial price. The attacker later exited the vault at a regular share price generating a profit.
The attacker’s wallet address is: 0xf224ab004461540778a914ea397c589b677e27bb
Attack initiated in TX: 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877
The funds currently sit in these 7 BTC Wallets:
The attacker is actively money laundering BTC through:
- Various darknet mixers
Complete path of funds (Courtesy of BitQuery):
Tracing effort materials:
To summarize the post-mortem:
- We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future
- Formulating a remediation plan for affected users is the top priority for the coming week
- We humbly request that the funds are returned to the deployer so that it can be distributed back to the users
📸 Community Updates
Argent has listed $FARM as a trading pair. As Harvest continues to build software and tools for users yield farming, one of the most well-known DeFi wallets will make it easier for farmers to hold on to their $FARM.
Prior to the economic attack, Harvest had more operating income than the credit giant Monzo 🏦. Increased deposits flowing into the LPs results in more profits 💵 generated to humble farmers, and this milestone demonstrates that DeFi based products can compete with the traditional finance 💳 sector more quickly and efficiently.
Interested in more information about $FARM economics? One of our Discord community moderators Redmption recently published some thoughts 💭 on the value of FARM and the importance of cash flow. You can also visit our very thorough Wiki for additional information.
🔑 Community is Key
Harvest has one of the most vibrant communities within the blockchain ecosystem. As we get closer to the final deadline for the Creativity Contest Part 2, we have received some amazingly creative submissions. There are over $18,000 in FARM prizes to be awarded across multiple categories.
To learn more about the round 2 of our creativity contest, refer to the announcement article. Below are some recent entries that have caught our eye:
🙏 We would also like to thank our content creators and contributors globally. For example, CryptoUF has been translating our weekly updates to French and HoldHorses has completed our strategy description bounty for $50 whenever a new strategy is deployed.
🌾 Without all of the efforts of individual farmhands, Harvest would not be one of the most fertile farms
🏧 Emission Overview
💹 Week 8 Farming Incentives:
1️⃣ In week 1, 57569.1 $FARM were issued.
2️⃣ In week 2, 51676.2 $FARM were issued.
3️⃣ In week 3, 26400.2 $FARM were issued.
4️⃣ In week 4, 24997.5 $FARM were issued.
5️⃣ In week 5, 23555.0 $FARM were issued.
6️⃣ In week 6, 22507.83 $FARM were issued.
7️⃣ In week 7, 21507.22 $FARM were issued.
8️⃣ In week 8, 20551.42 $FARM were issued.
In Week 9, 19637.46 $FARM will be issued.
📉 $FARM emission in week 9 is further reduced by 4.44% from last week’s emission of 20,551.42. This is part of the emissions cut community vote where 99.12% of the votes approved this decreasing emissions plan. After ensuring sufficient emission to bootstrap critical liquidity and incentivize capital providers, additional emission provides diminishing returns to Harvest.
13746.22 $FARM (70% of week 9) will be distributed to capital and liquidity providers as follows:
🎉 1099.69 $FARM (5.59% of week 9) to stablecoin deposits into Harvest yield farming:
- 421.10 $FARM for USDC pool (2.14% of week 9 total)
- 371.30 $FARM for USDT pool (1.88%)
- 25.60 $FARM for DAI pool (0.13%)
- 281.68 $FARM for TUSD pool (1.43%)
₿ 1099.68 $FARM (5.59% of week 9) to BTC deposits into Harvest yield farming:
- 66.48 $FARM for wBTC pool (0.33%)
- 103.61 $FARM for renBTC pool (0.53%)
- 860.86 $FARM for Vault_CRV_renwBTC pool (4.38%)
- 68.73 $FARM (0.34% of week 9) to Sushiswap WBTC/TBTC deposits into Harvest yield farming
🤑 137.46 $FARM (0.70% of week 9) to WETH deposits into Harvest yield farming
🦄 5223.56 $FARM (26.59% of week 9) to UNI deposits into Harvest yield farming
- 737.93 $FARM for ETH-DAI pool (3.76%)
- 1625.10 $FARM for ETH-USDC pool (8.28%)
- 1053.00 $FARM for ETH-USDT pool (5.36%)
- 1807.51 $FARM for ETH-WBTC pool (9.2%)
🚜 4123.86 $FARM (21% of week 9) to $FARM liquidity providers in the Uniswap USDC/FARM pool
👨🌾 2061.93 $FARM (10.5% of week 9) to $FARM stakers in the profit share.
🏯 As we head into the following weeks, our number one priority is security of the software infrastructure and ensuring that the hacker cannot exit with the money successfully. We will continue investing into security and are already awaiting additional audits from multiple top tier auditing firms. While that happens, we are also working on protocol upgrades that can further improve our design and ensure that our systems are even more robust.
♋ 🌿 Our other initiatives such as Council of 69, strategic partnerships, new farming opportunities and community engagement initiatives are ongoing as planned, and we will look to continue working on these as they are core pillars that have made Harvest successful. We appreciate the good faith that humble farmers from around the world have placed in us and are forever grateful for it.