The Harvest Finance Exploit Explained
We’ve covered aspects of Harvest Finance thrice before, but it’s taken a dramatic dive since then, let’s break down what happened. Once boasting over a billion dollars in deposits, that number has been more than sliced in half.
Around $30M was drained from the Harvest protocol through a flash-arbitrage exploit. Before we get lost in the details, this seems like an appropriate time to be reminded that Defi tends to be degen (that is, high risk/reward) and you should really do your own research and only invest when you are confident that you understand the risks. In the interest of full disclosure, we lost some funds from this exploit, so let’s learn how it happened and what to watch for in the future. While we’re being super-honest, we received a grant from Harvest a few days ago, as previously disclosed.
WHAT HAPPENED!?
According to their official response, they take ‘responsibility for this engineering error’, are ‘formulating a remediation plan for affected users’ and ‘humbly request that funds are returned’. It’s not a very entertaining read, but fear not! Rekt has a more-entertaining telling of the tale, although the site tends to be FUD-heavy overall, so reader betware.
They essentially took a flash loan worth $50m, crashing the price of both fUSDT (which fell 13.7%) and $FARM (which fell 67%) over a two-hour period. Then they used the Curve Y Pool to swap funds and skew stable prices. Then over a 7-minute period they did a tidy swap of USDC to USDT and back again 32 times, as detailed by @valentinmihov on Twitter. They had $500,000 profit on each of the 32 cycles, then converted to renBTC and exited to BTC/ETH via Tornado Cash. The exit from the USDT Vault at the end of the cycle was made feasible because of the deflated USDT price from the earlier flash loan price manipulation. In the end they got out with $30m, although $6m of that ended up going to Uniswap Liquidity Providers as they exited.
Of interest, the Harvest Developers had $2.5m returned, around 10% of the take, although the motive behind the gesture is unclear. This is reminiscent of how the ENM hacker/exploiter did something similar, returning around 50% of the funds.
BUT… SECURITY AUDITS?
As we mentioned in our most-recent Harvest article, they’d already commissioned three companies to do security audits and released the results of two of them. Clearly this is no guarantee of invulnerability to exploitation, but it does call into question the veracity of the audits. Two of the auditors, Peck Shield and CertiK also audited Bzx before their three hacks earlier this year. It should be understood that audits verify specific parts of a protocol’s code, but not necessarily a comprehensive guarantee against hack or exploitation. This is why Andrew Cronje of yEarn intentionally did not post audits, to not give a false sense of security to potential users.
AFTERMATH
There is debate about whether this was a hack, an exploit, or just arbitrage. We tend to think this was unethical, and certainly many people lost their funds. It serves as a painful reminder that, while early days, DeFi is not as safe or robust as many might think, and caution should be exercised accordingly.
If you’d like to donate ETH/ERC-20, it’s appreciated! Haines.eth
Make sure you are subscribed on Youtube for the latest tutorials, news and interviews
Follow me on Twitter for memes, hot takes, and more DeFi
Join my public Telegram group for 24/7 crypto chat
For high level strategy and bleeding edge alpha join my private telegram group
