- Harvest Finance has been hacked for $24 million in stablecoins
- The hacker caused the Uniswap trading volume to jump by 15x as they cashed out
- Harvest Finance and Republic Protocol worked together to identify the hacker and are trying to negotiate a return of the funds
Harvest Finance, a DeFi farming platform, has been hacked to the tune of $24 million, with the hacker causing the 24hr trading volume on Uniswap to jump 15x overnight. After the funds seemed at first lost, Harvest Finance believe they have identified the hacker and are trying to negotiate a return of the funds.
$24 Million in Stablecoins Stolen
In a series of tweets describing the mechanics behind the attack, Harvest Finance said that the exploit was initiated by the attacker taking out a flash loan and using it to manipulate the protocols associated with the platform:
Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times.
The attacker then converted the funds to renBTC and exited to BTC
— Harvest Finance (@harvest_finance) October 26, 2020
The attacker was able to drain $24 million worth of fUSDT and fUSDC tokens from the platform, which they exchanged into BTC and then again into renBTC before transferring to the Republic Protocol darkpool platform. The attacker apparently returned 10% of the stolen funds in USDT and USDC, which will be deposited among those who lost money in the hack.
Harvest Finance Identifies Attacker
All does not seem lost, however. Republic Protocol assisted in identifying the wallets that the renBTC was sent to, with Harvest Finance posting the addresses on Twitter and alerting the likes of Binance, Coinbase, Huobi, and Bitfinex in the hope of blacklisting them and preventing them from being easily cashed out:
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn2/2
— Harvest Finance (@harvest_finance) October 26, 2020
In an interesting twist, Harvest Finance later revealed they had discovered a “significant amount of personally identifiable information on the attacker,” who was “well-known in the crypto community.” They added however that they were “not interested in doxing the attacker”, asking instead for the funds to be returned and offering a $100,000 bounty to the first person or team who helped the attacker return the funds.
With the hacker seemingly cornered and Harvest Finance losing credibility over the hack as well as potential funds, the biggest winners here could well be the WETH-USDT/USDC Uniswap liquidity providers, who can walk away with their share of the 15x volume increase.
