On Oct. 26, 2020, an attacker reportedly exploited $24 Million from DeFi platform Harvest Finance. The dev team behind the protocol explained in a tweet that the unknown hacker infiltrated one of its yield farming pools and swapped his loot for RenBTC.
The malicious actor exploited the Curve y pool by stretching the price of the stablecoins in Curve out of proportion. The team at Harvest finance has moved to mitigate the attack on stablecoins and BTC pools by transferring Curve y pool and BTC Curve strategy funds to its vault.
Launched in late August of this year, Harvest Finance boasted over $1billion in locked assets before the Monday morning attack.
The platform’s native token, $FARM, has since plunged by around 60%, as per data from Coingecko. Moreover, the TVL in the protocol has dropped from above $1 billion on Oct. 25 to $570M.
TVL in Harvest Finance Drops Heavily | Source DeFi Pulse
Harvest puts $100K bounty On Hacker
The Chinese DeFi protocol has now announced a $100k bounty on any individual or team that reaches out to the malicious actor. They noted that there is a significant amount of personally identifiable info on the hacker, who is well-known in the crypto community.
Harvest Finance is actively handling the incident and has so far worked with the Ren Protocol to identify BTC addresses linked to the exploit. The team has also asked top crypto exchanges such as Binance and Coinbase to freeze the looted assets.
In a bizarre move, the attacker subsequently sent back approximately $2.5M to the anon developer admin key address in stablecoins USDC and USDT. Harvest Finance now says that the returned funds would be distributed to the affected depositors following a snapshot.
Are Harvest Finance Founders Orchestrating a Rug Pull?
In the wake of the DeFi protocol hack, several users on Harvest Finance’s Discord channel voiced their concern about a potential rug pull.
Harvest Finance has been criticized in the past due to its centralized key held by anonymous founders. This management model allows the founders to singlehandedly control over $1 billion in user assets.
DeFi researcher Chris Blec warned that founders of the protocol could take advantage of this centralized control to perform various changes to the smart contract.
Audit firm PeckShield shared a similar warning over the unaudited DeFi protocol. They noted the anonymous founders who hold the admin key could use it to drain user funds or arbitrarily mint new FARM tokens.
Currency, the crypto community remains uncertain on whether the Harvest Finance admin key played any role in today’s exploit.