- Yield farming protocol, Harvest Finance has been hacked.
- The attacker made away with $24 million, but returned $2.5 million.
The issue of decentralized finance (DeFi) protocol exploitations is becoming worrisome and posing a huge threat to the speedy growth of the industry. A few hours ago, a hacker was able to take advantage of bugs in a yield farming protocol, Harvest Finance, draining almost all the funds locked in the project, according to many information shared on Twitter.
Harvest Finance loss about $24 million to an unknown attacker
According to the information, the Harvest Finance protocol was successfully hacked early today, with almost all the assets drained. Overall, the yield farming protocol lost about $24 million to the attacker(s). Later on, the attackers returned about $2.5 to the (protocol) deployer. It remains unknown why the hacker returned such an amount. However, this is not the first time where a DeFi protocol attacker returned a small portion of stolen funds.
Meanwhile, the attacker could cash out the stolen Harvest Finance assets by converting them to renBTC, a tokenized version of Bitcoin (BTC), and Tornado. While giving a clue on how the protocol got hacked, the team at Harvest Finance noted that the attack was launched through the Curve Finance Y pool. The statement precisely reads:
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.
A Buggy protocol
In a separate post, a Twitter user disclosed that he found about two errors on Harvest Finance protocol after analyzing the code. According to the post, there was an implementation bug on the protocol and also a mistake in the protocol’s design.
2. Loose Design – They have an arbitrage check function in strategy, but the tolerance was not enough value. I couldn't check what the value was at the time of exploiting, but the default value of 3% was too much. pic.twitter.com/p6vxhpHaRl
— Pancake $Bunny on #BSC (@PancakeBunnyFin) October 26, 2020
The development today also caused a 60 percent drop in the protocol’s governance token (FARM) price on CoinGecko.