On Sunday night I was chatting on Discord about Harvest Finance and GYSR when the community suddenly got crazy. An hacker attack was taking place on the Stablecoin and Bitcoin pools. The attack was stretching the price of the stablecoins in Curve out of proportion while depositing and withdrawing perpetually large amounts of crypto.
The attacker executed a theft of funds from the USDC and USDT vaults exploiting an arbitrage and impermanent loss that influences the value of individual assets inside the Y pool of Curve.fi. The attacker repeatedly exploited the effects of impermanent loss by manipulating asset value to deposit funds into the Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit. The Harvest team took quick measures and stopped the attack before it could do a higher damage. The two pools where depleted and the funds where moved in the Vault, while no other pools where affected and $FARM earning continued as normal.
In a tweeter update, Harvest.Finance assured that a report will be published soon. I has online throughout the attack and the team handled everything in such a professional manner, keeping the community updated and limiting the chaos.
The attacker and the address he/she used were quickly tracked and the Harvest team continued the investigation.Harvest Finance took full responsibility for the engineering error that permitted the hack and ensured that such incidents are mitigated in the future. A remediation plan for affected users will be created. This is the chain of events:
- The attacker’s wallet address was 0xf224ab004461540778a914ea397c589b677e27bb. It deployed a contract 0xc6028a9fa486f52efd2b95b949ac630d287ce0af through which they carried out the entire attack on October 26, 2020, 02:53:31 AM +UTC. The 10 ETH for the attack was sourced through Tornado in transaction 0x4b7b9e387a79289720a0226f695913d1d11dbdc681b7218a432136cc089363c4.
- The attack itself initiated in transaction 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877. Within the context of a single transaction than sourced a large amount of USDT (18,308,555.417594) and USDC (50,000,000) from Uniswap into the attacking contract.
- The contract converted 17,222,012.640506 USDT into USDC via a swap inside Y pool. The effect of the swap was a higher value of USDC inside the Y pool as the other assets incurred impermanent loss. The smart contract obtained a roughly equivalent amount of 17,216,703.208672 USDC.
- The attacker deposited 49,977,468.555526 USDC into Harvest’s USDC vault, receiving the total of 51,456,280.788906 fUSDC at 0.97126080216 USDC per share. The price of a share before the attack was 0.980007 USDC, so the attacker decreased the value of the share by approximately 1%. The arbitrage check inside Harvest’s strategy did not exceed the threshold of 3% and thus did not revert the transaction.
- The attacker exchanged 17,239,234.653146 of USDC back into USDT via the Y pool. The result was obtaining the original lower value of USDC inside the Y pool due to reverting of the impermanent loss effect. The attacker received 17,230,747.185604 USDT back followed by the withdrew from Harvest’s USDC vault trading all fUSDC shares back for 50,596,877.367825 USDC. The price of a share was 0.98329837664 USDC as the value of USDC inside the Y pool decreased. The USDC was paid entirely by the buffer of the Harvest’s USDC vault, not interacting with Y pool at all. The net profit (not accounting for the flash loan fees) was 619408.812299 USDC.The attacker repeated the process several times within the same transaction.
- After executing 17 attack transactions aimed at the USDC vault within 4 minutes, the attacker repeated the process in the analogous way for the USDT vault starting with transaction 0x0fc6d2ca064fc841bc9b1c1fad1fbb97bcea5c9a1b2b66ef837f1227e06519a6. They executed 13 transactions targeting the USDT vault within another 3 minutes. The attacker transferred some funds back to the Harvest deployer in transaction 0x25119cd54a4562aa427d9770af383512f9cb5e8e4d17232ad96b69dc293a3510. This was 1,761,898.396474 USDC and 718,914.048541 USDT.
The plan in the aftermaths of the attack contains the minting of 19,637 $FARM and smart contract improvements. Mitigation strategies will be soon be released and time-lock strategy investments will new vaults will be considered for implementation such us a a commit-and-reveal mechanism for deposits. This would remove the ability to perform deposits and withdrawals within a single transaction and therefore, make flash-loan based attacks infeasible. The use of oracles for setting asset price will have a very loose connection to the real price.
The users who lost funds in USDC and USDT will have the assets returned and Harvest Finance is currently working to create the tools and a framework that can provide remedy. The $Farm price dropped from nearly $300 to $60 in the night of the attack, but due to the vigilance of the team and quick response, the token recovered in the following days.
I seen the total involvement throughout the attack and I was pleased by their reaction. Accepting the blame and planing remedy shows professionalism and dedication. I will still keep my $FARM in the Harvest Pool, but not because the price has dropped. I will keep my assets in there for the incredible APY (currently 437%) and because I trust them and I enjoy being part of this community. Hackers cannot stop the harvest!
Moving on to the Creativity Contest ... we all know that Harvest Finance is co cool!
And Chad is ready to give #BreadForThePeople
Links and referrals
* currently testing ReadCash
Amazon author page: PV Mihalache
Quality Faucets: Stakecube (20 daily faucets)