The DeFi sector has been the favorite target of attackers this year. And why wouldn’t it be as the industry is growing by billions of dollars each month, and that’s why it is attracting not only investors but hackers too.
The latest to be targeted by malicious threat actors is the decentralized finance (DeFi) protocol called Harvest Finance.
Harvest Finance was exploited early morning on Monday UTC. The company took to Twitter to explain what happened . The company claim that hackers exploited a DeFi ecosystem vulnerability present in the Curve’s Y pool mechanism and stole approx. $24 million.
Later the attacker returned around $2.5 million to the project for unknown reasons. The entire feat took about 7 minutes only.
See: Hacker returns $25 million after their IP address is exposed
It is a yield aggregator protocol like the YFI that collects yields from various lending protocols and offers depositors maximum return after optimizing the funds for the maximum. It provides liquidity for several DeFi pools.
Harvest claims that using a $50m flash loan, the attacker(s) could stretch the Curve Y pool’s stablecoin price via arbitrage manipulation. Exploiting the price manipulation on the Curve Y pool; the attacker drained Farm USDT and Farm USDC tokens from Harvest Finance and converted them to renBTC tokens and later to Bitcoin.
The attackers then used Bitcoin and Stablecoin pools on Harvest Finance itself to obtain a higher amount of stablecoins and providing high-priced coins on Curve.
$25,000,000 stolen from DeFi project “Harvest Finance” through a contract exploit.
Hacker gave back $2,500,000 and the project’s developers are offering $100,000 to track the thief, claiming he is likely a well known persona in the crypto world. pic.twitter.com/uwB4R6qfwU
— Alon Gal (Under the Breach) (@UnderTheBreach) October 26, 2020
At the time of the attack, the Curve’s trading volume on USDT and USDC went up from $10 million to $2.7 billion. The price of FARM, Harvest’s native token, also jumped by 57% and it is trading at $101.
Flash loans refer to uncollateralized loans. Users can borrow these funds directly from a liquidity pool on the condition that the money is returned within one transaction block.
Harvest Finance also revealed some of the bitcoin addresses of the hacker. The company stated that the hacker is already known in the crypto community and they have sufficient personally identifiable information available on the attacker, but they don’t intend to dox him .
However, the company has put a $10,000 bounty for the first individual or team that reaches out to the attacker. They have also asked several exchanges, including Coinbase, Binance, and Huobi to block the hacker’s addresses. Harvest also stated that it would release a post mortem report on the attack within 16 hours.
The attack has a strong similarity to the Eminence attack during which the hacker stole $15m and sent half of the stolen funds to an address belonging to the project’s lead developer. The difference is that in this incident, the hacker returned 10% of the stolen amount.
shop online with credit card number only no cvv buying fullz