Week 9 Update: Restoring Funds and Immediate Next Steps to Mitigate Hacks

Week 9 Update: Restoring Funds and Immediate Next Steps to Mitigate Hacks

By Chad Farmer | Harvest.finance | 28 Oct 2020

🔒 Safety and security are the two most important pillars we have at Harvest Finance.

While we were looking forward to pushing updates that would make the yield farming experience easier and more enjoyable, including prepared updates that would have moved out of Curve’s Y Pool, our main focus in Week 9 is to restore funds from the hacker and to mitigate any flashloan attacks that can affect users.

Image for post

Visualization of the path through which the attacker is laundering proceeds from the economic attack.
Blockchain intelligence made possible by the very helpful TRM Labs.

🔎 In light of the hacker’s exploit, this Week’s Update will not be about new strategies we could deploy or the UI updates that would streamline deposits or withdrawals. Instead it is to share the facts about what we know so far, about the hacker, where the funds are currently, and how to actively do right by the community. We have put out a $400,000 bounty for anyone who comes forward with the identity of the hacker or information about the hacker. Subsequently, we would need funds to be returned to the deployer address so we can restore lost crops.

🔏 We would like to iterate that we are not trying to doxx anyone and have no interest in doing so. We humbly request that the attacker return the proceeds of the economic attack. The main priority is the restoration of funds for the thousands of affected users.


What We Know

We have written an extensive Post-Mortem about the Flashloan Economic Attack. It provides a technical overview of the attack, the affected pools, as well as a complete timeline of the attack.

The attacker exploited the effect of impermanent loss of USDC and USDT inside the Y Pool on Curve.fi. They used the manipulated asset value to deposit funds into Harvest vaults and obtain vault shares for a beneficial price. The attacker later exited the vault at a regular share price generating a profit.

The attacker’s wallet address is: 0xf224ab004461540778a914ea397c589b677e27bb

Attack initiated in TX: 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877

The funds currently sit in these 7 BTC Wallets:








The attacker is actively money laundering BTC through:

  • Flugsvamp 3.0
  • Wm_cash
  • Coins.ph
  • Treddr
  • Kraken
  • Binance
  • Huobi

Complete path of funds (Courtesy of BitQuery):


Tracing effort materials:

To summarize the post-mortem:

  1. We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future
  2. Formulating a remediation plan for affected users is the top priority for the coming week
  3. We humbly request that the funds are returned to the deployer so that it can be distributed back to the users


📸 Community Updates

Argent has listed $FARM as a trading pair. As Harvest continues to build software and tools for users yield farming, one of the most well-known DeFi wallets will make it easier for farmers to hold on to their $FARM.

Image for post


Prior to the economic attack, Harvest had more operating income than the credit giant Monzo 🏦. Increased deposits flowing into the LPs results in more profits 💵 generated to humble farmers, and this milestone demonstrates that DeFi based products can compete with the traditional finance 💳 sector more quickly and efficiently.

Interested in more information about $FARM economics? One of our Discord community moderators Redmption recently published some thoughts 💭 on the value of FARM and the importance of cash flow. You can also visit our very thorough Wiki for additional information.

Image for post

🔑 Community is Key

Harvest has one of the most vibrant communities within the blockchain ecosystem. As we get closer to the final deadline for the Creativity Contest Part 2, we have received some amazingly creative submissions. There are over $18,000 in FARM prizes to be awarded across multiple categories.

To learn more about the round 2 of our creativity contest, refer to the announcement article. Below are some recent entries that have caught our eye:

Image for post

Harvest Finance swag — a beautiful ‘pensive chad’ T-shirt!

Image for post

Halloween themed festive Chad card

Image for post

Persian farmer chad and poem

Image for post

Harvest UI: 8-bit version


🙏 We would also like to thank our content creators and contributors globally. For example, CryptoUF has been translating our weekly updates to French and HoldHorses has completed our strategy description bounty for $50 whenever a new strategy is deployed.

🌾 Without all of the efforts of individual farmhands, Harvest would not be one of the most fertile farms


🏧 Emission Overview

💹 Week 8 Farming Incentives:

1️⃣ In week 1, 57569.1 $FARM were issued.

2️⃣ In week 2, 51676.2 $FARM were issued.

3️⃣ In week 3, 26400.2 $FARM were issued.

4️⃣ In week 4, 24997.5 $FARM were issued.

5️⃣ In week 5, 23555.0 $FARM were issued.

6️⃣ In week 6, 22507.83 $FARM were issued.

7️⃣ In week 7, 21507.22 $FARM were issued.

8️⃣ In week 8, 20551.42 $FARM were issued.

In Week 9, 19637.46 $FARM will be issued.

📉 $FARM emission in week 9 is further reduced by 4.44% from last week’s emission of 20,551.42. This is part of the emissions cut community vote where 99.12% of the votes approved this decreasing emissions plan. After ensuring sufficient emission to bootstrap critical liquidity and incentivize capital providers, additional emission provides diminishing returns to Harvest.

This week:

13746.22 $FARM (70% of week 9) will be distributed to capital and liquidity providers as follows:

🎉 1099.69 $FARM (5.59% of week 9) to stablecoin deposits into Harvest yield farming:

  • 421.10 $FARM for USDC pool (2.14% of week 9 total)
  • 371.30 $FARM for USDT pool (1.88%)
  • 25.60 $FARM for DAI pool (0.13%)
  • 281.68 $FARM for TUSD pool (1.43%)

₿ 1099.68 $FARM (5.59% of week 9) to BTC deposits into Harvest yield farming:

  • 66.48 $FARM for wBTC pool (0.33%)
  • 103.61 $FARM for renBTC pool (0.53%)
  • 860.86 $FARM for Vault_CRV_renwBTC pool (4.38%)
  • 68.73 $FARM (0.34% of week 9) to Sushiswap WBTC/TBTC deposits into Harvest yield farming

🤑 137.46 $FARM (0.70% of week 9) to WETH deposits into Harvest yield farming

🦄 5223.56 $FARM (26.59% of week 9) to UNI deposits into Harvest yield farming

  • 737.93 $FARM for ETH-DAI pool (3.76%)
  • 1625.10 $FARM for ETH-USDC pool (8.28%)
  • 1053.00 $FARM for ETH-USDT pool (5.36%)
  • 1807.51 $FARM for ETH-WBTC pool (9.2%)

🚜 4123.86 $FARM (21% of week 9) to $FARM liquidity providers in the Uniswap USDC/FARM pool

👨‍🌾 2061.93 $FARM (10.5% of week 9) to $FARM stakers in the profit share.


Moving Forward

🏯 As we head into the following weeks, our number one priority is security of the software infrastructure and ensuring that the hacker cannot exit with the money successfully. We will continue investing into security and are already awaiting additional audits from multiple top tier auditing firms. While that happens, we are also working on protocol upgrades that can further improve our design and ensure that our systems are even more robust.

♋ 🌿 Our other initiatives such as Council of 69, strategic partnerships, new farming opportunities and community engagement initiatives are ongoing as planned, and we will look to continue working on these as they are core pillars that have made Harvest successful. We appreciate the good faith that humble farmers from around the world have placed in us and are forever grateful for it.


Chad Farmer
Chad Farmer

Tilling the defi fields of Harvest.finance and reaping what I sow


All things related to life down on the FARM

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.