Security vulnerabilities on DeFi protocols remain a serious concern for the DeFi sector despite its burgeoning growth potential, especially as major projects fall prey to hacking attacks resulting in the loss of user and project funds. The latest in a series of incidents this year comes from Harvest Finance, a protocol that made the news last week for overtaking Curve Finance, Compound Finance, Yearn Finance and Synthetix to rank fifth in the DeFi market. On October 26, however, Harvest found itself subject to a hacking attack that led to the loss of $24 million in funds.
This was an attack on Harvest’s Stablecoin and Bitcoin pools, and the Harvest team immediately announced, “The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest. To protect users, we’ve pulled y pool and btc curve strategy funds to the vault.”
The team has been publishing regular updates in intervals to keep its community up to date on the progress of the fixes. A full post-mortem report has not yet been released, but Harvest has managed to identify the source of the hack. The hacker allegedly began his plan with a “large flashloan”, and drained fUSDT and fUSDC multiple times by manipulating prices in the curve y pool. The stablecoins were then converted into renBTC and pulled out of Harvest as BTC. The whole operation lasted a total of seven minutes.
The attacker’s 10 wallet addresses have been highlighted and the team has also reached out to centralized exchanges for them to take note of any transactions coming from any of these addresses. Strangely enough, the attacker returned approximately $2.5 million to the stablecoin pool, and the team said that Harvest would be redistributing the funds to those affected in the hack.
Now, it seems that Harvest will be able to identify the hacker who they claim is rather “well-known” in the crypto community. As such, they are putting a $100,000 bounty on the attacker.
Harvest went on to declare that it is not interested in “doxxing” the attacker, only in recovering their funds. Security breaches in DeFi protocols are not uncommon, and Harvest is taking an open and transparent approach in the aftermath of this mistake.
“We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future. Formulating a remediation plan for affected users is the top priority,” the team tweeted. “We humbly request that the funds are returned to the deployer so that it can returned to users.”
You may also want to read: US to Lose Out to Asia in the Innovative Crypto Space Due to Lack of Regulatory Clarity