Discover more from Distributed Humanity
Flashloans, Arbitrage, and Harvest.finance
$24 million stolen from Harvest.finance LPs via an impressive flashloan arbitrage exploit
As with all things in DeFi, it started with a tweet.
Harvest.finance was the newest crop to appear in the DeFi farming protocols landscape: Was harvest.finance executing a rugpull? Was Farmer Chad stealing Bread from the People? 🥖
As confused compounded, the Crypto Twitter hivemind went to work:
@harvest_finance was quick to quell fears of a rug pull.
The attack was sophisticated, exploiting the composability of multiple money legos.
For those who aren’t familiar, flashloans are a transaction where a user borrows funds, executes a series of transactions with those borrowed funds, and then returns them — all within the same transaction. It allows everyone access to whale-like liquidity, risk-free. If one of the transactions in the series doesn’t complete, then the entire transaction is invalidated.
A bugdoor - what a beautiful term. Was this exploit an inside job, enabled via a bugdoor?
Before we had time to truly ponder that idea, the attacker did something unexpected:
Recap: After stealing $24 million from harvest.finance LPs, the attacker sent $2.5 million back to the harvest.finance dev’s admin key address.
Maybe the hacker felt bad. Chef Nomi sent back the $14 million he stole, so we’ve seen this type of behavior before in DeFi.
But giving money back to the dev’s admin key address isn’t a surefire sign that the attack wasn’t an inside job.
Summary: It’s hard to be anonymous dev team in DeFi as *any* smart contract exploits will be considered an inside job.
Meanwhile, harvest_finance called for the CEX’s (Binance, Coinbase) to blacklist the BTC addresses that contained the stolen funds.
We soon found out that the attacker wasn’t perfect in his execution:
So - maybe these funds will be returned? Who knows.
@AutismCapital, one of the first accounts to break the story, had the last word for the night:
Flashloans are cursèd, for they multiply the lethality of arbitrage exploits.
Maybe c̶o̶m̶p̶u̶t̶e̶r̶s̶ flashloans were a mistake.
Oh well. They exist now. And they’re an unstoppable, uncensorable money lego that is composable with all the other money legos on DeFi.