Hacker Drains $24M From Harvest Finance, Returns $2.5M

BlocDesk Harvest FInance BlocDesk Hacker Drains $24M From Harvest Finance, Returns $2.5M

Neglected or unnoticed fragility of decentralized finance (DeFi) protocols often results in sorrow for investors. Hackers actively try to exploit any weakness in the code. Recently, investors of Harvest Finance became victims of a hack, after the protocol got drained by an unknown attacker. The hacker cashed out about $24 million worth of digital currencies. DeFi projects manage assets on behalf of investors and speculators. 

Such attacks can threaten the development, maturity, and adoption of the entire decentralized finance industry. Further protocol exploitation can create fear in the mind of investors, causing them to avoid new DeFi projects altogether.

How Harvest Finance Lost $24 Million Within 1hr

Harvest Finance is a new yield farming protocol that allows investors to deposit their cryptos for huge profits. According to the statement from Harvest Finance, the hacker performed a so-called arbitrage economic attack on the protocol. It involves launching the attack through “curve y pool,” and successfully manipulating the price of the stablecoins in the process.

-Advertisement-

Almost all of the stolen assets in the protocol have been converted to renBTC and Tornado. The development also caused a significant drop in the price of FARM, the governance token for Harvest Finance. At the time of writing, the token sees a 24-hour price change of over -50 percent. It currently trades at $115.6 on CoinGecko, a crypto price tracker.

Meanwhile, Twitter user @PancakeBunnyFin also claims there was a bug in the protocol’s code. The Twitter user hints at Harvest Finance having an implementation bug, and also a loose design. 

Comments like these aren’t unusual in the DeFi space. A lot of projects refuse to have their code audited prior to accepting incoming transactions. Maintaining such a risky approach will keep costing users a lot of money.

Harvest Finance Team Responds

According to the team’s statement,remaining funds were withdrawn from the affected curve strategy, including stablecoin and Bitcoin balances. The reason for this approach is to protect the investors from further attacks. These funds are now in the vault and not deployed in any strategy.

The hacker, meanwhile, returned about $2.5 million to the protocol’s deployer in Tether (USDT) and USD Coin (USDC). The team intends to distribute the fund to the affected investors.

It remains unknown why the hacker returned the fund. However, a different hacker made a similar move recently, wherein about $8 million was returned after exploiting Eminence protocol.