Dear Skilful Harvest/DeFi Hacker,
The crypto revolution was started by a bunch of ?benevolent? hackers trying to evade or supersede government regulation and control. Over time it’s become all the rage, and most of the value locked in it belongs to fools who have no clue. These humble farmers are either used to laws and institutions that protect their assets from foul play, or come from a country where institutions fail to do that and are desperate to find something better.
Out of greed or desperation, the promise of reasonable yields/interest on their savings brings them to the blockchain, to DeFi, and to Harvest Finance.
Harvest and our DeFi friends are clearly anonymous communities, run by anonymous developers, without any formal institutional structure. It may seem foolish to trust large sums money with such collectives, but the communities are strong and easy to find. After people spend some time our community, they rightly come to trust the intentions of the strange new kind of organisation that is Harvest. As the institutions of the world drag us through crisis after crisis, always finding a way to save their skin while increasing the already enormous wealth gap, this friendly group of humble farmers is something that we all want to work out so bad.
So we’re excited, we move super fast, we do shit. We end up with a bunch of people, who don’t really understand, telling us that we need audits and time-locks in order to be trusted. That once we have done that we will be secure and trustworthy. These people also want the highest yields at every moment. They want better customer support than they’d get from their bank, and they want changes to be done in hours not days, weeks or months. We try so hard to give them everything they want.
In the background there’s Whitehat hackers and security experts tweeting about potential problems in our concepts and code. Sometimes we listen, but often this advice is lost in the noise. Somewhere a hole in the system is left unnoticed.
Someone will exploit this hole some day, the question is only when and who and how. It is clear that pointing out a hole is not always compelling enough to prompt action. So for us to learn how to keep our farmers safe, someone has to reach through it and take something that isn’t theirs to take or change something that you they shouldn’t be able to change.
Exploiting an obscure vulnerability in a high growth/energy community project, and taking most of their money is either a total dickhead move that manages to violate laws even in an ecosystem built to evade them or the best lesson one could ever teach. The difference is what you do with the money.
Crypto needs a Greyhat movement
You took our money and ran off into the night, but you did something else quite interesting. You send the leaders of our humble Harvest community 2.5 million dollars (about 10%) of what you took. Maybe you just wanted us to blame our leaders for the hack, but instead the community united to find a way to right those who you have wronged.
In 2 week, and couple of DAO votes, we came up with the GRAIN bond which we will use to slowly return the funds you stole to those who lost them. We also have put a 1 million dollar bounty for anyone who could find you and help us use the law and the crypto community to restore our funds. But we don't like cops anymore than you do. In the same few weeks, you were busy slowly laundering your money, so you can carefully and slowly spend it, always slightly afraid of leaving a trail back to yourself. You wear a Blackhat.
But it doesn't have to be this way. You taught us a valuable lesson. We are now way more cautious, we move slower, and we've look to places other than auditors to make sure our code is still secure. Your hacks can bind us together in new ways as communities, and we learned how ready we all were to support each other. If not, we decay to nothing into a vast field of FUD. At Harvest, we'd just like to be able to make everyone whole again, without them having to wait years for us to earn enough money to do so.
So come take a look at our community. Hop onto our Discord and see what a real community of humble farmers trying to change the world look like. Are really the people you want to steal from? There are certainly plenty of fools out there far more deserving of a being rekt. We understand that your hack wasn't cheap. You spent 9 millions of our money in the process of stealing it. With that in mind, I present you two proposals:
1: The Best Solution:
Reach out to the community(anonymously) and strike a deal to return the money you still have. The 2.5 million you gave us seems like a steep but acceptable price to pay for the lessons you've learned, and the 9 million in fees you paid is something we'll have to deal with. 11.5 million is something we can much more quickly repatriate. We could formally(as formally as a DAO can) absolve you of all wrong doing, both legally and ethically and write you a thank you letter NFT for the lessons you've taught us. Then you can spend your earned money freely without concern.
2: The DeFi Solution:
In the next weeks, 1 grain will be minted for every dollar you stole. This money will be put in a AMM liquidity pool. Harvest plans to direct a portion of our profits to buying and burning grain until the lost money has been repaid. You could "front-run" us. Spend $22 million buying the grain in the pool, buy all the GRAIN if you can, keep it as a souvenir, or even better strike the deal with the devs in proposed above option 1 and return the grain. Buying millions in grain from the pool would create a crazy pump and dump economy and give everyone a chance to make their money back off degens and fools who knew they were taking a risk.
We know that we're asking you to basically giving up ~22 million dollars, but with that, we invite you to come back in 6 months and do it all again. If you can find another hole, then reach in and take a little more coin (maybe watch the fees). Help us learn, watch how we react, and if our actions seem noble and humble, make us mostly right and spare yourself from having to do laundry. There's got to be some other communities you can teach in the meantime...
Start a movement of grey-hat hackers with a code of ethics. Seek to understand how you can use your mad skills to make mad cash and help the blockchain community become more secure. Help us grow strong enough that don't need to go crying to the police and other institutions we are all trying so desperately to escape.
Not everyone in DeFi will love you for this, but many will idolise you. I will certainly come to your defence. Security is important, and we're not good enough at it. Crypto is the wild-west, we need Greyhats to remind us it's dangerous and keep us safe.
With that dear skilful Harvest hacker, I bid you a good night and wish you sweet and benevolent greyscale dreams.
We need hackers to find our security vulnerabilities, and could accept them stealing or money and keeping a reasonable amount of it if they would engage with or communities afterwords to help us learn and grow. It would be amazing to see a Greyhat movement arise in the blockchain hacker community(we know you have one.)
- Harvest Week 9 newsletter: outlining the hacks and first steps taken to secure the platform
- Harvest Week 11 newsletter: outlining the new GRAIN token and the moves made by the community to make everyone whole
- Emma, The Fox and The Frogs - The hack explained through farm (and sexual) metaphors by the talented ScifiZephyr
- Rekt article about the Harvest exploit in technical detail
Readers: Please comment with advice to the hacker community about what you think a proper code of ethics should be. Keep in mind where these people come from, and how little we as a community listen to security advice before we get hacked.