Harvest Finance $24M Attack - October 26, 2020
Attack Overview
On October 26, 2020, the DeFi farming Harvest Finance protocol was drained of at least $24 million in liquidity through a flash loan attack. The total amount stolen was later updated from the initially reported $24 million figure to approximately $34 million.
Attack Mechanism
A smart contract deployed by the arbitrageur performed several trades within the same transaction using funds generated by a flash loan from Uniswap, then manipulated the ratio of the USDC and USDT Y pools on Curve.fi, which lowered the share value of the Harvest Finance vaults, and finally restored the ratio in the Y pools, which increased the share value of the Harvest Finance vaults.
The attacker began by taking out a $50 million USDC flash loan from Uniswap. The attacker executed a total of 17 attack transactions targeting the USDC vault within 4 minutes and 13 transactions targeting the USDT vault within another 3 minutes.
Root Cause
The attacker exploited arbitrage and impermanent loss features that influenced the value of individual assets inside the Y pool of Curve Finance, where the vault funds resided. This was a sophisticated arbitrage attack — it was not a hack and no smart contract code was compromised.
Response and Remediation
The protocol took responsibility for what it called an 'economic attack' and 'engineering error' and made a remediation plan for affected users its top priority. To protect against flash-loan-based attacks the team explored a "commit-and-reveal" mechanism for deposits, which would make it impossible to perform deposits and withdrawals in a single transaction.
The team offered a $100,000 bounty for assistance in returning funds, which would quadruple to $400,000 if accomplished within 36 hours.
Sources