Flashloans, Arbitrage, and Harvest.finance
$24 million stolen from Harvest.finance LPs via an impressive flashloan arbitrage exploit
As with all things in DeFi, it started with a tweet.
Harvest.finance was the newest crop to appear in the DeFi farming protocols landscape: Was harvest.finance executing a rugpull? Was Farmer Chad stealing Bread from the People? š„
As confused compounded, the Crypto Twitter hivemind went to work:
@harvest_finance was quick to quell fears of a rug pull.
The attack was sophisticated, exploiting the composability of multiple money legos.
For those who arenāt familiar, flashloans are a transaction where a user borrows funds, executes a series of transactions with those borrowed funds, and then returns them ā all within the same transaction. It allows everyone access to whale-like liquidity, risk-free. If one of the transactions in the series doesnāt complete, then the entire transaction is invalidated.
Chris Blec, who had been harping about harvest.financeās Admin Key, immediately suspected this was an inside job:
A bugdoor - what a beautiful term. Was this exploit an inside job, enabled via a bugdoor?
Before we had time to truly ponder that idea, the attacker did something unexpected:
Recap: After stealing $24 million from harvest.finance LPs, the attacker sent $2.5 million back to the harvest.finance devās admin key address.
Maybe the hacker felt bad. Chef Nomi sent back the $14 million he stole, so weāve seen this type of behavior before in DeFi.
But giving money back to the devās admin key address isnāt a surefire sign that the attack wasnāt an inside job.
Summary: Itās hard to be anonymous dev team in DeFi as *any* smart contract exploits will be considered an inside job.
Meanwhile, harvest_finance called for the CEXās (Binance, Coinbase) to blacklist the BTC addresses that contained the stolen funds.
We soon found out that the attacker wasnāt perfect in his execution:
So - maybe these funds will be returned? Who knows.
@AutismCapital, one of the first accounts to break the story, had the last word for the night:
Flashloans are cursĆØd, for they multiply the lethality of arbitrage exploits.
Maybe cĢ¶oĢ¶mĢ¶pĢ¶uĢ¶tĢ¶eĢ¶rĢ¶sĢ¶ flashloans were a mistake.
Oh well. They exist now. And theyāre an unstoppable, uncensorable money lego that is composable with all the other money legos on DeFi.