Another day, another hack. A possible loophole in the DeFi protocol of Harvest Finance crashed its token FARM to drop by 70% in less than an hour.
A few hours ago, several tweets started flying claiming that there had been a hack on Harvest Finance. An anonymous hacker has swapped $25M from Harvest Finance pools for renBTC (rBTC) and selling off it. Community members also say some of the funds have also been transferred to Tornado Cash, a zk-SNARKs-based privacy tool for laundering Ethereum transactions. Following the claims of attack, investors have taken down $350 million.
While nothing is clear as of now, the anonymous team behind Harvest Finance confirmed that it was an “economic attack” and that their team is working on mitigating the attack on Stablecoins and BTC pools, in a tweet.
As informed by the team, this hack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large number of assets through harvest.
To protect users, we’ve pulled y pool and
BTC curve strategy funds to the vault.
For now, all the Stablecoin and BTC curve strategy funds have been withdrawn to the vault and none of their other pools have been affected by the hack, claims the team.
According to Chris Blec, $2.5 of stablecoins were transferred into the Harvest Finance anonymous developer’s admin key address (EOA) from the hacker’s exploit contract.
- Harvest Finance loses $24M.
- Hack carried out through the Curve Finance Y pool.
- renBTC and Tornado Cash are being used by the hacker to launder the funds.
- $2.5M returned to the deployer.
This should be noted, however, that this is a developing story, no such statement is released about lost funds, and will be updated when more is known about the hack.
Check our website for a further detailed analysis of the bug that crashed Harvest Finance.