The attacker needed 7 minutes to execute an arbitration attack.
According to some reports, the hacker is a known figure in the community.
A hacker exploited a security vulnerability in the decentralized finance protocol (DeFi) Harvest Finance, developed by an anonymous team. The hacker stole $ 24 million in tokens and then returned $ 2.5 million to the protocol for unknown reasons.
The attacker needed just 7 minutes to execute an arbitrage attack, with which he carried out a series of steps through the Uniswap, Curve Finance, and Harvest protocols before reaching his goal of draining funds. He first got a $ 50 million flash loan on Uniswap.
He then started trading between USDC and Tether (USDT) to make the prices of the two tokens swing wildly. When he noticed the price of Tether starting to drop on Harvest, he proceeded to exchange it at a discount for stablecoins obtained on the flash loan.
In short, what the attacker did was manipulate the prices in Curve and Harvest to obtain higher returns. Then he probably converted the funds into the synthetic version of Bitcoin, renBTC, which is useful in the Ethereum network, and by using the Ethereum Tornado Cash mixing tool, he achieved to withdraw the funds.
The Harvest protocol is a performance culture platform that is less than two months old. It offers its users higher profitability that it collects from different lending protocols and optimizes them to return the maximum profit to those who deposit stablecoins and Bitcoin. According to DeFi Pulse, more than $ 1 billion in total value locked up at the end of last week.
The alert about the irregular situation circled during the early hours of Monday when analytics service provider DeFi prime warned that something strange was happening at Harvest Finance and needed to be closely monitored. Once the Harvest team confirmed that the attack took place, users began withdrawing their funds. Shortly after, they withdrawn about $ 350 million from the protocol.
The platform’s native FARM token plummeted by more than 60% in less than an hour, according to data from CoinGecko.
Later, Harvest Finance reported that it decided to cold-protect user funds while blocking deposits. At the moment, there are no further details on how the attack occurred or if it was the result on a flaw in the smart contract code. Harvest Finance claims that they made an analysis on its smart contracts and evaluated them through PeckShield and Haechi Labs.
A DeFi vulnerability that was sung
The attack comes after DeFi analyst Chris Blec warned that there are reasons enough to mistrust the platform. Blec affirmed that the administrators of Harvest Finance got locked in the contracts of the protocol, an “administrator password that can drain funds.” However, until now, it is unknown if there could be any relationship between the aforementioned administrator password and the sudden loss of funds from the protocol.
Harvest provided some bitcoin addresses for the attacker and said there is a “significant amount of personally identifiable information about the attacker.” He claimed that this is well known in the cryptocurrency community. Also, he offered a reward of $ 100,000 for the first person or team that approaches the attacker.
The team behind the protocol also reported that it asked various exchanges to block the attacker’s addresses.
The attack underscores the fragility of DeFi protocols that routinely face similar attacks. As CriptoNoticias reported recently, so far in 2020, another five DeFi platforms also suffered attacks; some repeatedly like bZx, which generated at least $ 30 million in losses. The attacks reveal that hackers seek to exploit the weaknesses of the smart contracts of the different protocols.
By: Jenson Nuñez.
