DeFi yield farming protocol Harvest Finance is promising a $1 million reward for anyone able to locate a hacker who over the weekend took off with almost $34 million of the protocol’s liquidity.
The intruder used a flash loan to falsely deflate stablecoin Tether and USDC rates on Harvest and then stole tokens from liquidity pools at bargain-basement rates.
A $34 Million “Theft” of FARM
As a result, the DeFi project is looking at many modifications, including limiting flash loans, which allow tech-savvy users to concurrently deposit and withdraw funds to take advantage of price arbitrage.
In its attack post-mortem, Harvest referred to the incident as “theft” as the asset prices had been distorted.
Harvest suggested in an October 26 tweet that his staff knew who the perpetrator was but was unable to doxx them; it first offered a $100,000 reward, then upped it to a $400,000 reward, to anyone who could induce the person to return the funds.
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
We are putting out a 100k bounty for the first person or team to reach out to the attacker
— Harvest Finance (@harvest_finance) October 26, 2020
Eventually, it upped the bounty to $1 million.
💵Increasing the bounty for tracking down the attacker and returning the funds to $1M
Here's what we know about the attacker:
1) understands flashloans
2) understands arbitrage and trading
3) understands curve internal code
4) understands renBTC
5) understands opsec1/2
— Harvest Finance (@harvest_finance) October 29, 2020
A Well-Known Hacker?
According to the Harvest Discord the person behind the hack was allegedly well-known in the crypto community. Also, all seven bitcoin wallets containing the funds of the perpetrator have been identified.
Harvest Finance said in a series of tweets that the hack took place due to a misunderstanding on its part and that it left the door open for the hacker to return the funds without any consequences.
“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage,” the tweets said.
“We do not have any interest in doxing the attacker, (or arbitrageur). People should have their privacy,” it stated. “You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”
What is Harvest?
Harvest Finance is a DeFi protocol that farms yield based on other successful DeFi protocols. The product purports that:
Harvest automatically farms the highest yield available from the newest DeFi protocols, and optimizes the yields that are received using the latest farming techniques.
We were looking for a convenient way to farm the latest projects that were producing different reward tokens. The process was highly manual and inconvenient for people that had a normal job and didn’t want to keep up with DeFi 24/7.
Gas prices have been really high, and it was expensive to farm by ourselves, so we pooled our funds together to try to save on gas. We decided to build the solution that we were looking for ourselves, and hopefully will help many others.