Harvest flashloan event: would it have been covered?

In short: it’s up to our members.

Harvest was not listed on Nexus Mutual but we were in the process of listing Harvest for our members to stake on in order to enable cover purchases. This was not complete before the event so no Nexus members have cover on Harvest and this is purely a speculative report. Ultimately all claims are decided by our members.

The recent flashloan economic event on Harvest Finance happened when a user exploited an arbitrage opportunity by temporarily manipulating the value of individual assets inside the Y pool of Curve.fi, which is where the funds of Harvest’s vaults were invested. The Harvest team have acknowledged that there were engineering mistakes in the design, but that the code worked as intended.

The Harvest report indicates that after a large flashloan and manipulation of the price feed (on Curve y pool), the user used the manipulated asset value to deposit funds into Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit.

“The arbitrage check inside Harvest’s strategy did not exceed the threshold of 3% and thus did not revert the transaction.” Harvest had a check in place but it was insufficient to stop the incident. The Harvest team are uncertain if reducing that check threshold would have prevented it and they suggest that it would also have caused other issues.

Nexus Mutual smart contract cover wording document excludes “any events where inputs, that are external to the smart contract system, behave in an unintended way and the smart contract system continues to operate as intended, where inputs include but are not limited to; oracles, governance systems, incentive structures, miner behaviour and network congestion.”

Previous claims that have come through Nexus Mutual such as the bZx flashloan event indicate that our members do not see events where the code was used as intended as claimable events. In this particular case we can determine that Harvest’s code was designed and implemented in such a way that allowed for this kind of attack to take place. The Harvest team have acknowledged that there were engineering mistakes in the design, but that the code worked as intended.

On the surface it appears this exploit fits into a similar category but ultimately it is up to our members to decide on any claims. Nexus Mutual members have full discretion over paying out claims so if there had been covers and subsequent claims on Harvest, Claims Assessors (any member staking to vote on claims) would have the final say on whether or not to pay out. Claims Assessors are incentivised to vote in line with the general consensus and to pay out legitimate claims. Full details on how the claims process works can be found here.

Smart contract cover protects members for the contracts and code belonging only to the covered protocol. Therefore cover on Curve would not be relevant in this particular incident. However we are developing new products such as stacked risk cover (where multiple interrelated projects are covered at once). We know that there is demand for more products with broader scope and protection — we’re working to develop them as a priority. Look out for discussions on our forum.

We’ve recently added proof of loss wording to our cover document so members now have to add cryptographic evidence for personal loss (at least 20% of the cover amount) when submitting a claim. When a claim is raised, claims assessors often discuss the details in our Discord and from those discussions we are aware that there can be differing interpretations of the cover wording. The wording is deliberately high level to allow for nuance and edge cases — this is where we want to depart from the rigidity of traditional insurance. However we will consult members on updating the cover wording to ensure that members with cover are clear about what Smart Contract Cover protects against.

For detailed and technical discussions on our roadmap use our forum.

For community conversations on all topics related to Nexus join our Discord.

For Telegram updates join the announcements channel and discussion group.

For all stats and data visit the Nexus tracker built by Richard Chen.