Earlier today on Monday, October 26, 2020, Hackers exploited the decentralized finance (DeFi) yield farming protocol Harvest Finance and drained an amount of $24 million in value. Reportedly, the funds were drained from the protocol’s stablecoin and BTC pools. A part of the amount was sent back to the deployer as well.
An Economic Attack
This hack has been referred to as “an economic attack” by the DeFi protocol Harvest Finance. It reported via a tweet that this hack was carried out by hackers through Curve y pool and the price of stablecoins was stretched by them on Curve.
Hackers exploited $24 million in USDC and USDT stablecoins. However, they have returned back an amount of $2.5 million to the deployer as well. All of the y pool and BTC curve strategy funds were pulled immediately into the vault by Harvest Finance for making sure the protection of users. However, others pools of the DeFi platform remained unaffected.
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.
To protect users, we've pulled y pool and btc curve strategy funds to the vault
— Harvest Finance (@harvest_finance) October 26, 2020
Shortly after this incident occurred, the price value of the native token of Harvest Finance FARM plummeted down suddenly by over sixty percent. The drop occurred within a time period of less than one hour. Due to this price drop, the FARM token went down to $85. Apart from this, Harvest Finance’s total value locked (TVL) also dumped down to $570 million after decreasing from the massive $1 billion mark.
Harvest Finance has put a $100k bounty on the attacker
Harvest Finance is actively tackling this hacking incident and has made some progress. According to a tweet from the DeFi protocol, the hacker is very popular in the cryptocurrency community. The platform says it has some “personally identifiable information” on the hacker. A bounty of $100k has been put on the attacker as well.
“In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community. We are putting out a 100k bounty for the first person or team to reach out to the attacker.”