In a blog post published on October 27, DeFi protocol Harvest Finance offered an update on the $24 million hack, providing both an explanation and apology for the incident.
- The team begins the post by explaining the specific mechanism of the attack, before offering a mitigation strategies and an apology
- The protocol suffered an economic arbitrage attack -- the attacker exploited an arbitrage and impermanent loss that “influences the value of individual assets on Curve Finance”; essentially, the attacker manipulated the prices of impermanent loss, arbitrage, and slippage using market trades of large volumes
- Suggested mitigation techniques for the future include making flash-loan based attacks infeasible using a “commit-and-reveal” mechanism, a stricter configuration of the existing deposit arb check, withdrawals in an underlying asset, and using oracles for determining asset prices
- Victims of the attack will receive refunds through a snapshot and the MerkleDistributor, as well as other means that will be discussed via the governance platform
- The team has put out a $100,000 bounty to discover the attacker’s identity, and has reportedly obtained some identifying information; however, no suspects have been reported
