- A crypto-investment and yield farming platform was hacked, losing $24 million belonging to its users.
- The attacker returned some of it for reasons unknown, and the platform is hopeful that the rest will be returned soon.
- The hacker exploited a cryptographic vulnerability and carried out the attack in just seven minutes.
‘Harvest Finance’ is going through a rough situation after someone stole $24 million from the platform by exploiting a cryptographic flaw, which allowed the siphoning of other people’s funds. The hacker initially invested a large amount of money in the platform and then stole $13 million in USDC and $11 million worth of Tether. ‘Harvest Finance’ took responsibility for the existence of the exploited vulnerability and is now developing a remediation plan for the affected users.
‘Harvest Finance’ is a crypto-investment platform that enables users to profit from their holdings by harvesting amounts that are generated from small price variations in the exchange rates. The platform basically offers an automated system to enable investors to engage in the so-called “yield farming” process, and for this to work, it requires them to lock the funds in it.
The attacker figured out a way to influence the value of individual assets inside the platform’s vaults by investing a large sum and obtaining shares at a beneficial price and then exited the vault at a regular share price, so he/she was leaving with a significant profit each time. This took place multiple times, as Harvest Finance sees 17 attack transactions for the USDC vault in their logs and another 13 transactions for the USDT vault. All in all, both attacks were over in just seven minutes, leaving the platform with very little time to respond.
Weirdly, the hacker returned $1.76 million worth of USDC and $0.72 million in Tether to ‘Harvest Finance,’ but this move has unclear motives or symbolism. The platform says they currently hold a significant amount of personally identifiable information on the hacker and even point out that he/she is a well-known person in the crypto community. Still, though, they are not interested in doxing the person and hope that the attacker is just trying to prove a point and that the money will be returned soon.
In fact, ‘Harvest Finance’ has made it clear that there’s no fund to cover the lost amount and that returning the funds is the only solution to the problem. The platform is even offering $100,000 as a bounty to anyone who can convince the attacker to return the funds.
Harvest Finance has already laid out four possible mitigations for the future, like using oracles for determining asset price, employing a stricter configuration of the existing deposit arb check in the strategies, and implementing a commit-and-reveal mechanism for deposits. However, even if all of the funds are returned and distributed back to the users, the trust in the platform will have been compromised, possibly beyond any point of return.