Harvest Finance has received backlash from pundits and experts alike in the crypto space following news that the farming project was hacked days ago.
Following the attack, pundits have called for a review and investigation into how the attack was carried out. However, it will be better to explain how the attackers got in to avoid future attacks.
As reported by various media outlets, the Decentralized Finance farming protocol, Harvest Finance suffered a breach and was robbed of nothing less than $24 million through a flash loan attack. In the wake of this, the protocol has taken full responsibility for the attack on the platform on October 26.
Harvest Finance developers take full responsibility for the hack
In its statement, the protocol developers said the “economic attack” happened due to an engineering error on their part. Furthermore, the exchange said it is currently making plans to refund the users affected in the breach.
“We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future,” the developers said. In the blog post made, the developers of Harvest Finance have given insights into what transpired, leading to the attack.
The developers said that the hacker exploited arbitrage and impermanent loss features in the statement explaining how hackers drained millions of dollars from its liquidity pools. This single act influenced the value of individual assets in the Ypool of Curve Finance, where the fund’s in the vaults reside.
Close to 18 million USDT and 50 million USDC were taken from Uniswap and deployed into the attacking contract. As soon as this was done, the smart contract converted the USDT using the swap in the Ypool, which automatically created a higher value of USDC inside the pools. This led to other assets experiencing an impermanent loss.
Hackers used a sophisticated method to carry out the attack
The attacker didn’t stop as he still went on to deposit the USDC into Harvest Finances USDC vault, making it a total of 51.4 million USDC at 0.97 USDC per share, which led to the decrease of the values of the shares.
Furthermore, the USDC was further converted to USDT using the Ypool to get back the lower value of USDC after the impermanent loss has been reverted. The DeFi thief now withdrew the USDC from Harvest’s vault, trading it for a slightly higher value as the value of the USDC decreased drastically.
The hacker was very fast when he carried out the act as he did it 30 times in about seven minutes, giving him a massive $24 million in USDT and USDC. Presently, both tokens vaults’ share price has gone under, further adding to the developers’ worries.
“The value lost is about $33.8 million, which corresponded to approximately 3.2% of the total value locked in the protocol at the time before the attack,” the developers said. This hack was very sophisticated because no smart code was compromised, and flash loans are not something you can master.