DeFi Protocol Harvest Finance Faces Economic Attack, FARM Token Tanks
On Oct 26, 2020, decentralized yield farming protocol Harvest finance became the latest victim of an exploit by a malicious actor. The newly launched DeFi platform created on the Kava blockchain reportedly lost more than $24M in an early Monday morning exploit.
The hacker has already swapped his siphoned funds to renBTC, a synthetic version of BTC. He is also reportedly converting part of his loot to Tornado Cash, a privacy tool that obfuscates ETH transactions.
According to a statement from the Harvest Finance team, the hacker deployed an ‘economic attack’ on its Curve y pool by stretching the price of the stablecoins in Curve out of proportion.
“We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools and will update in this thread in realtime as soon as additional details are available,” the team tweeted.
The DeFi protocol has pulled the Curve Y pool and BTC Curve strategy funds to its vault and has assured investors that all stablecoin and BTC funds are now secured. Other pools appear unaffected by the notorious hacking incident.
According to the protocol’s team, the next security step is to block deposits to the Stablecoin and BTC vault while allowing existing deposits to continue earning $FARM.
Attack Underscores the Fragility of Harvest’s Centralized Model
Following the exploit, Harvest Finance’s native DeFi token $FARM has plunged by around 60%, as per data from Coingecko.
Data from the DeFi pulse also shows that the protocol’s total value locked (TVL) has dropped by more than $369M as investors pull out funds from the site. Harvest Finance’s TVL amounted to over $1 billion before the attack.
According to DeFi researcher Chris Blec, $2.5M worth of stablecoins has been moved into Harvest Finance’s anon developer admin key address from the hackers’ exploit contract.
The Chinese DeFi protocol has come under fire in recent weeks due to its centralized key held by anonymous founders. This management model allows the founders to singlehanded control the over $1 bln in user crypto assets.
Chris Blec had earlier lamented that Harvest Finance’s administrators held the admin key to perform various changes. Other users were wary that the developers could exploit the platform’s centralized control to introduce dubious changes to the smart contract.
For instance, DeFi investor Tetranode recently requested that the protocol include a 12-hour lock dashboard, enabling investors to exit their positions within the lock-in period if the dev team orchestrates a rug pull.
At this stage, it remains unclear whether the admin key had any role in the attack or if the anonymous team behind the project played a part in the sudden drain in funds.
Crypto Twitter Reacts
After news of the attack broke, one Twitter user and crypto holder advised the community to withdraw their funds from Harvest Finance, adding that there might have been an infiltration of other pools as well.
Quant trader Quia Wang took to Twitter to express his disappointment over the hack, calling it a massive setback for DeFi.
Interestingly, some users accuse the dev team at Harvest Finance of attempting to kick out people from the protocol’s Discord channel for asking about the exploit.