Flashloans, Arbitrage, and Harvest.finance

$24 million stolen from Harvest.finance LPs via an impressive flashloan arbitrage exploit

Oct 26, 2020

As with all things in DeFi, it started with a tweet.

Discord is going insane claiming Harvest team rugged. Don't have all the facts, could be false alarm, regardless, ****PAY ATTENTION IF YOU'RE CURRENTLY FARMING.**** @harvest_finance $FARM

Harvest.finance was the newest crop to appear in the DeFi farming protocols landscape: Was harvest.finance executing a rugpull? Was Farmer Chad stealing Bread from the People? 🥖

As confused compounded, the Crypto Twitter hivemind went to work:

devops199fan 🔪📜😅 @devops199fan

some info on the developing @harvest_finance exploit 🧐 ~$24MM exploited 👉 etherscan.io/tx/0x53fae6f1d… ~$2.5MM sent back to deployer 👉 etherscan.io/tx/0x25119cd54… hacker cashed out almost all of it via renBTC and tornado in the last ~1 hour 👉 app.zerion.io/0x3811765a53c3… h/t @jiecut42

@harvest_finance was quick to quell fears of a rug pull.

Harvest Finance @harvest_finance

We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime as soon as additional details are available

Harvest Finance @harvest_finance

The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest. To protect users, we've pulled y pool and btc curve strategy funds to the vault

The attack was sophisticated, exploiting the composability of multiple money legos.

Harvest Finance @harvest_finance

Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times. The attacker then converted the funds to renBTC and exited to BTC

For those who aren’t familiar, flashloans are a transaction where a user borrows funds, executes a series of transactions with those borrowed funds, and then returns them — all within the same transaction. It allows everyone access to whale-like liquidity, risk-free. If one of the transactions in the series doesn’t complete, then the entire transaction is invalidated.

Harvest Finance @harvest_finance

Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end. Wallet of the attacker exiting through renBTC app.zerion.io/0x3811765a53c3… Source: @devops199fan

Chris Blec, who had been harping about harvest.finance’s Admin Key, immediately suspected this was an inside job:

Chris Blec @ChrisBlec

Replace Andre with "anonymous Harvest Finance dev" and you'd have a pretty decent theory.

Chris Blec @ChrisBlec

If Andre were dishonest, he would develop a complex DeFi liquidity system with great code, but include a financial exploit so nuanced that no auditor could catch it. Then, after the pool builds, he'd covertly run the exploit w/ a flash loan, drain the pool, and blame the world.

Christopher Mooney @godsflaw

@ChrisBlec In the computer security community we call this a bugdoor. A backdoor with plausible deniability as a bug.

A bugdoor - what a beautiful term. Was this exploit an inside job, enabled via a bugdoor?

Before we had time to truly ponder that idea, the attacker did something unexpected:

Harvest Finance @harvest_finance

The attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC. This will be distributed to the affected depositors pro-rata using a snapshot

Recap: After stealing $24 million from harvest.finance LPs, the attacker sent $2.5 million back to the harvest.finance dev’s admin key address.

Maybe the hacker felt bad. Chef Nomi sent back the $14 million he stole, so we’ve seen this type of behavior before in DeFi.

But giving money back to the dev’s admin key address isn’t a surefire sign that the attack wasn’t an inside job.

Chris Blec @ChrisBlec

Theoretical inside job psyop: Send most hacked funds to a new account, but "return" a small amount back into team's public account so that they can offer a gesture of good faith to users. Users will think that team is honest since they're not running off w/ "returned" funds.

Summary: It’s hard to be anonymous dev team in DeFi as *any* smart contract exploits will be considered an inside job.

Meanwhile, harvest_finance called for the CEX’s (Binance, Coinbase) to blacklist the BTC addresses that contained the stolen funds.

We soon found out that the attacker wasn’t perfect in his execution:

Harvest Finance @harvest_finance

In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community. We are putting out a 100k bounty for the first person or team to reach out to the attacker

Harvest Finance @harvest_finance

and help the attacker return the funds to the deployer address

Harvest Finance @harvest_finance

We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users

So - maybe these funds will be returned? Who knows.

@AutismCapital, one of the first accounts to break the story, had the last word for the night:

Autism Capital 🧩 @AutismCapital

When have you ever heard of a positive story around flash loans? It's always some dark autist using them for evil.

Flashloans are cursèd, for they multiply the lethality of arbitrage exploits.

Maybe c̶o̶m̶p̶u̶t̶e̶r̶s̶ flashloans were a mistake.

Oh well. They exist now. And they’re an unstoppable, uncensorable money lego that is composable with all the other money legos on DeFi.

Distributed Humanity

Discussion about this post