Editor's Note: This article comes fromBabbitt Information (ID: bitcoin8btc)Editor's Note: This article comes from

Babbitt Information (ID: bitcoin8btc)

Summarize:

1. , Author: Harvest Finance, Compiler: Free and Easy, released with authorization.

2. On October 26, hackers used flash loans to steal $24 million from the vault of the DeFi protocol Harvest. According to Harvest's official analysis report, flash loans were only part of the attack, and specifically involved the DeFi protocol. The problem of impermanent loss. Although the attacker returned approximately US$2.5 million in funds afterwards, Harvest users still faced a loss of more than US$20 million (about US$33.8 million). For this, Harvest officially issued a reward and requested the hacker Return the remaining funds.

3. We are responsible for this engineering error and ensure that such incidents are mitigated in the future;

what happened?

Developing a remediation plan for affected users is our top priority for the week ahead;

1. We humbly request the attackers to return funds to the deployers so they can be distributed to affected users;

2. what happened?

At 2:53:31 UTC on October 26, an attacker stole funds from Harvest Finance’s USDC and USDT vaults. The attackers exploited arbitrage and impermanent losses affecting individual assets in the Curve.fi Y pool, where Harvest vaults were invested. The following mechanisms of the protocol allow such attacks to be performed:

1. Harvest's investment strategy calculates the real-time value of investing in underlying real-time protocol assets. The treasury uses the value of the asset to calculate the number of shares that will be issued to the user where the funds are deposited. When users withdraw funds from the vault, they also use the value of the asset to calculate the payout that the user should receive when they withdraw.

2. Assets in some vaults (including USDC and USDT) are held in shared pools of underlying DeFi protocols (e.g. Curve.fi’s Y Pool). Assets in these asset pools are subject to market effects such as impermanent losses, arbitrage, and slippage. Therefore, their value can be manipulated through a large number of market transactions.

3. The attacker repeatedly exploited the impermanent loss impact of USDC and USDT in the Curve.fi Y pool. They use manipulated asset values ​​to deposit funds into Harvest's vaults, acquire shares in the vault at a price favorable to them, and exit the vault at the normal price, thereby generating a profit. The following is the tracking chain of this attack event:

4. The attacker’s wallet address is 0xf224ab004461540778a914ea397c589b677e27b, which deployed a contract 0xc6028a9fa486f52efd2b95b949ac630d287ce0af, through which they executed the attack at 02:53:31 UTC on October 26, 2020 . The 10 ETH used for the attack was hidden through the Tornado transaction 0x4b7b9e387a79289720a0226f695913d1d11dbdc681b7218a432136cc089363c4.

5. The attack itself was launched in the transaction 0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877.

6. The attacker obtained a large amount of USDT (18,308,555.417594) and USDC (50,000,000) from Uniswap to inject into the attack contract.

7. The contract converted 17,222,012.640506 USDT into USDC through the swap transaction of the Y pool. The impact of the swap is that due to the impermanent loss of other assets, the value of USDC in the Y pool is higher. The amount obtained by this smart contract is roughly equivalent to 17,216,703.208672 USDC;

8. The attacker deposited 49,977,468.555526 USDC into Harvest’s USDC vault and received 51,456,280.788906 fUSDC at a price of 0.97126080216 USDC per share. Before the attack, the price of fUSDC per share was 0.980007 USDC, so the attacker reduced the value of the stake by roughly 1%. The arbitrage check inside the Harvest strategy did not exceed the 3% threshold, so the trade was not reverted.

9. The attacker exchanged 17239234.653146 USDC back to USDT through the Y pool. As a result, the original lower value of USDC was obtained in the Y pool due to the restoration of the impermanent loss effect. The attacker thus recovered 17,230,747.185604 USDT.

10. The attacker withdrew coins from Harvest’s USDC vault and exchanged all fUSDC shares for 50596877.367825 USDC. Due to the decrease in USDC value in the Y pool, the price of fUSDC per share is 0.98329837664 USDC. The USDC is paid entirely by Harvest's USDC vault and does not interact with the Y pool at all. Doing this once, the attacker's net profit (excluding flash loan fees) is 619408.812299 USDC, and the attacker repeated the process several times in the same transaction.

After executing 17 attack transactions against the USDC vault within 4 minutes, the attacker repeated the process in a similar fashion against the USDT vault, starting with transaction 0x0fc6d2ca064fc841bc9b1c1fad1fbb97bcea5c9a1b2b66ef837f1227e06519a6. They completed 13 attack transactions against the USDT vault in another 3 minutes.

At 03:01:48 UTC on October 26, 2020, the attacker transferred 13,000,000 USDC and 11,000,000 USDT from the attack contract to address 0x3811765a53c3188c24d412daec3f60faad5f119b.

After the attack, the share price of the USDC vault dropped from 0.980007 to 0.834953 USDC, while the share price of the USDT vault dropped from 0.978874 to 0.844812 USDT, a drop of 13.8% and 13.7% respectively. The value lost by users was approximately $33.8 million, equivalent to 3.2% of the total value locked in the protocol before the attack.0xf224ab004461540778a914ea397c589b677e27b。

Next step

secondary title

Next step

The Harvest Finance protocol has a regular weekly schedule that it needs to maintain consistent yields for all farmers. According to the emission plan on October 27, 2020, the Harvest Finance team announced the minting of 19637.46 FARM tokens. The smart contract improvement plan, originally scheduled for release on October 27, requested by the community, will be postponed so that its security can be reassessed in the context of the attack. Funds in the vault using the shared pool will continue to be withdrawn from the policy until mitigations for such attacks are in place (see next section). These measures, along with infrastructure for remediation for affected users, will be the team's next development focus. We take responsibility for this engineering error and ensure that such incidents are mitigated in the future.

secondary title

1. Possible Future Mitigations

2. The Harvest Finance team is working on evaluating possible mitigation strategies and implementing them, along with any necessary user experience changes, in an upcoming release. We will take advantage of the upgradeable nature of the new vault, as well as timelock-based investment strategy replacements, and communicate mitigation strategies well to the community before release.

3. Possible restoration techniques include these options:

4. Implements the deposit submission and display mechanism. This would remove the ability to perform deposits and withdrawals in a single transaction, thus making flash loan-based attacks infeasible. In terms of users, this means that during the deposit, their tokens will be transferred to Harvest in one transaction. Users would then claim their stake in another transaction, preferably in a different block. This will constitute a change in user experience and may result in higher, but still acceptable, gas costs.

A stricter configuration check policy for existing deposit arbs. The current threshold is set at 3%, so it is not enough to protect vaults from such attacks. A tighter threshold could make such an attack economically infeasible, however, it could limit deposits in the case of natural impermanence loss effects, and Sunday's incident, which exceeded 7 minutes, shows that this measure is not effective enough , and should therefore be considered as complementary to other measures.

1. Extraction of underlying assets. When users deposit into a vault that uses a shared pool (like Y Pool), they effectively exchange their individual assets for pool assets (like yCurve). If users only withdraw the underlying asset, they can trade it into a portfolio based on current market conditions. If markets are manipulated, transactions are also subject to such manipulation, which prevents the attacking entity from generating profits. From the perspective of ordinary users, yCRV can be converted into stable coins in a separate transaction after being raised. While this would require a UX change, it could benefit the protocol. The downside of this approach is that it ties the vault withdrawal mechanism to the strategy currently in use: if one strategy switches to another that does not use the shared underlying pool, or uses a different pool, the resulting Assets also change.

2. Use oracles to determine asset prices. While an approximate asset price can effectively be determined from an external oracle (provided by Chainlink or Maker), it is very loosely linked to the actual share price. If the value of assets in the underlying DeFi protocol differs from the price quoted by the oracle machine, the treasury will face free arbitrage and flash loan attacks. This is not a Harvest solution, however, we will consider the use of oracles in the system design and possible mitigation strategies.

Remedies for users who lost USDC and USDT funds

1. Distributing the attacker's refunded funds via snapshots and MerkleDistributor, we reached out to the developers who helped create these tools and worked to build the infrastructure that would provide remediation to affected users. Distributing funds is a priority, and we will release more details on the distribution of funds once the tools are built.

2. Other remedies will be analyzed and voted on in governance.

3. Attacker Information and Bounty

4. The attacker used the newly generated Ethereum address 0xf224ab004461540778a914ea397c589b677e27bb to carry out the attack;

   1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM

   1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm

   14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg

   18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3

   1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS

   1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa

   1CLHhshrusvT4XADWA29R2H4ndsSUamEWn

5. Tornado transaction 0x4b7b9e387a79289720a0226f695913d1d11dbdc681b7218a432136cc089363c4;

6. The attack was launched in the transaction 0x35F8D2F572FCEAAC9288E5D46211780EF2694786992A8C3F6D02612277B0877;

7. The attacker transfers bitcoins via the REN protocol to the following addresses:

The attackers then sent several transactions to known Binance deposit addresses: https://blockstream.info/tx/7777569f003193ae59dbc5afbbf8bfbf3ac6c8ce8a8ec2b8707de14ddc3329a6 https://blockstream.info/tx/9fcc273f2d50fc582 4b8fd0bbe832831d02e7fe04bcc09d143e787455c602195

We are offering a $100,000 bounty to the first individual or team that helps us recover our funds.

If the refund is completed within the next 36 hours, the bounty is $400,000. Please do not dox the attackers in the process, and we strongly recommend focusing all efforts on ensuring user funds are successfully returned to the deployers.