Distributed Humanity

Share this post

Flashloans, Arbitrage, and Harvest.finance

ruleman.substack.com

Discover more from Distributed Humanity

Man is a networked animal — an exploration of distributed systems, business models, and the future of media.
Continue reading
Sign in

Flashloans, Arbitrage, and Harvest.finance

$24 million stolen from Harvest.finance LPs via an impressive flashloan arbitrage exploit

Eric Ruleman
Oct 26, 2020
Share this post

Flashloans, Arbitrage, and Harvest.finance

ruleman.substack.com
Share

As with all things in DeFi, it started with a tweet.

Twitter avatar for @AutismCapital
Autism Capital 🧩 @AutismCapital
Discord is going insane claiming Harvest team rugged. Don't have all the facts, could be false alarm, regardless, ****PAY ATTENTION IF YOU'RE CURRENTLY FARMING.**** @harvest_finance $FARM
4:03 AM ∙ Oct 26, 2020
22Likes4Retweets

Harvest.finance was the newest crop to appear in the DeFi farming protocols landscape: Was harvest.finance executing a rugpull? Was Farmer Chad stealing Bread from the People? 🥖

As confused compounded, the Crypto Twitter hivemind went to work:

Twitter avatar for @devops199fan
devops199fan 🔪📜😅 @devops199fan
some info on the developing @harvest_finance exploit 🧐 ~$24MM exploited 👉 etherscan.io/tx/0x53fae6f1d… ~$2.5MM sent back to deployer 👉 etherscan.io/tx/0x25119cd54… hacker cashed out almost all of it via renBTC and tornado in the last ~1 hour 👉 app.zerion.io/0x3811765a53c3… h/t @jiecut42
Image
4:15 AM ∙ Oct 26, 2020
247Likes116Retweets

@harvest_finance was quick to quell fears of a rug pull.

Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime as soon as additional details are available
4:26 AM ∙ Oct 26, 2020
212Likes77Retweets
Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest. To protect users, we've pulled y pool and btc curve strategy funds to the vault
4:43 AM ∙ Oct 26, 2020
73Likes28Retweets

The attack was sophisticated, exploiting the composability of multiple money legos.

Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times. The attacker then converted the funds to renBTC and exited to BTC
5:37 AM ∙ Oct 26, 2020
25Likes5Retweets

For those who aren’t familiar, flashloans are a transaction where a user borrows funds, executes a series of transactions with those borrowed funds, and then returns them — all within the same transaction. It allows everyone access to whale-like liquidity, risk-free. If one of the transactions in the series doesn’t complete, then the entire transaction is invalidated.

Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end. Wallet of the attacker exiting through renBTC app.zerion.io/0x3811765a53c3… Source: @devops199fan
5:42 AM ∙ Oct 26, 2020
28Likes6Retweets

Chris Blec, who had been harping about harvest.finance’s Admin Key, immediately suspected this was an inside job:

Twitter avatar for @ChrisBlec
Chris Blec @ChrisBlec
Replace Andre with "anonymous Harvest Finance dev" and you'd have a pretty decent theory.
Twitter avatar for @ChrisBlec
Chris Blec @ChrisBlec
If Andre were dishonest, he would develop a complex DeFi liquidity system with great code, but include a financial exploit so nuanced that no auditor could catch it. Then, after the pool builds, he'd covertly run the exploit w/ a flash loan, drain the pool, and blame the world.
4:24 AM ∙ Oct 26, 2020
17Likes2Retweets
Twitter avatar for @godsflaw
Christopher Mooney @godsflaw
@ChrisBlec In the computer security community we call this a bugdoor. A backdoor with plausible deniability as a bug.
4:27 AM ∙ Oct 26, 2020

A bugdoor - what a beautiful term. Was this exploit an inside job, enabled via a bugdoor?

Before we had time to truly ponder that idea, the attacker did something unexpected:

Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
The attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC. This will be distributed to the affected depositors pro-rata using a snapshot
5:52 AM ∙ Oct 26, 2020
24Likes5Retweets

Recap: After stealing $24 million from harvest.finance LPs, the attacker sent $2.5 million back to the harvest.finance dev’s admin key address.

Maybe the hacker felt bad. Chef Nomi sent back the $14 million he stole, so we’ve seen this type of behavior before in DeFi.

But giving money back to the dev’s admin key address isn’t a surefire sign that the attack wasn’t an inside job.

Twitter avatar for @ChrisBlec
Chris Blec @ChrisBlec
Theoretical inside job psyop: Send most hacked funds to a new account, but "return" a small amount back into team's public account so that they can offer a gesture of good faith to users. Users will think that team is honest since they're not running off w/ "returned" funds.
6:13 AM ∙ Oct 26, 2020
38Likes3Retweets

Summary: It’s hard to be anonymous dev team in DeFi as *any* smart contract exploits will be considered an inside job.

Meanwhile, harvest_finance called for the CEX’s (Binance, Coinbase) to blacklist the BTC addresses that contained the stolen funds.

We soon found out that the attacker wasn’t perfect in his execution:

Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community. We are putting out a 100k bounty for the first person or team to reach out to the attacker
7:12 AM ∙ Oct 26, 2020
58Likes16Retweets
Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
and help the attacker return the funds to the deployer address
7:14 AM ∙ Oct 26, 2020
16Likes1Retweet
Twitter avatar for @harvest_finance
Harvest Finance @harvest_finance
We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users
7:18 AM ∙ Oct 26, 2020
19Likes1Retweet

So - maybe these funds will be returned? Who knows.

@AutismCapital, one of the first accounts to break the story, had the last word for the night:

Twitter avatar for @AutismCapital
Autism Capital 🧩 @AutismCapital
When have you ever heard of a positive story around flash loans? It's always some dark autist using them for evil.
Image
7:19 AM ∙ Oct 26, 2020
20Likes3Retweets

Flashloans are cursèd, for they multiply the lethality of arbitrage exploits.

Maybe c̶o̶m̶p̶u̶t̶e̶r̶s̶ flashloans were a mistake.

Oh well. They exist now. And they’re an unstoppable, uncensorable money lego that is composable with all the other money legos on DeFi.

Share this post

Flashloans, Arbitrage, and Harvest.finance

ruleman.substack.com
Share
Comments
Top
New

No posts

Ready for more?

© 2023 Eric Ruleman
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing