Author | Qin Xiaofeng

Editor | Hao Fangzhou

Produced | Odaily

Editor | Hao Fangzhou

According to the announcement, the attack lost a total of 33.8 million US dollars (previously reported as 4 million US dollars), accounting for about 3.2% of the total value locked in the agreement before the attack; Distributed to affected depositors; in the future, Harvest Finance will implement a "commit-disclosure" mechanism for deposits, reduce flash loan attacks, use oracle machines to determine asset prices, and increase deposit arb configuration (the current threshold is set to 3%).

Produced | Odaily

This morning, the DeFi aggregation protocol Harvest Finance issued a statement in response to yesterday's flash loan attack.

At 10 am yesterday, a Twitter user broke the news that the attacker relied on the cost (handling fee) of 20 ETH to arbitrage impermanent losses in the Curve protocol y pool through flash loans, and the Curve.fi Y pool is where the Harvest treasury invests. The attacker then converted the funds into renBTC and cashed out, and Harvest lost millions of dollars as a result. Many participants claimed to have lost more than 15% to 20% of their funds.

Affected by this, the price of FARM, the governance token of Harvest Finance, plummeted from US$237 to US$78, with a maximum drop of nearly 70%. As of today’s press release, the price of FARM has risen to around US$110; Has plummeted to 450 million US dollars, the largest drop of 60%.

However, the Curve protocol has not been affected. The price of its governance token CRV has continued to rise in the past 24 hours, once rising to 0.44 USDT, with a maximum increase of nearly 30%.

secondary title

(1) Event Review: Flash Loan Arbitrage

• Harvest Finance is a DeFi income aggregator whose main function is to provide liquidity to other DeFi pools to earn income for its own liquidity providers. Before the attack, Harvest Finance mainly provided liquidity in the Curve protocol y pool.

• How did the attacker realize the attack and complete the arbitrage?

• First, let me briefly explain the logic of this attack. In simple terms, there are three steps, namely "borrowing - positive price manipulation - reverse price manipulation":The attacker lent a large amount of USDT and USDC through flash loans;

A large amount of USDT is converted into USDC in the Y pool, resulting in an increase in the price of USDC; since the price of USDC in the Harvest pool refers to the Y pool, it also rises; at this time, USDC is used to exchange more fUSDC in the Harvest pool;

In the Y pool, the above process is reversed, and a large amount of USDC is converted into USDT, resulting in a decrease in the price of USDC; at this time

• The price of USDC in the Harvest pool also drops; fUSDC can be used to exchange for more USDC than before to complete arbitrage.

• Of course, in order to enable transactions on the chain to be carried out in a very short period of time, each transaction is fully charged.

The Harvest Finance announcement describes the full attack chain:"20 ETH was transferred through the Ethereum anonymous transfer platform Tornado.cash as a follow-up attack fee. The attacker’s wallet address is 0xf224ab004461540778a914ea397c589b677e27b, and an attack contract 0xc6028a9fa486f52efd2b95b949ac630d287ce0af was deployed."Lend a huge amount of USDT (18,308,555.417594) and USDC (50 million) through Uniswap V2 flash loan, and inject them into the attack contract;(Note: Flash loans require borrowing and repayment to be

• a transaction

• is completed, otherwise the loan funds are withdrawn, and the attacker

• It is by taking advantage of this blank time that the arbitrage transaction is completed; flash loan arbitrage is also a relatively common method at present. )

• The contract converts 17222012.640506 USDT into USDC through the swap agreement in Curve protocol Y pool. The impact of the swap is that due to the impermanent loss of other assets, the value of USDC in the Y pool increased, and 17216703.208672 USDC was obtained; at this time, the attacker added the principal of the previous flash loan, and the attacker held about 67.21 million million USDT.

• The attacker deposited 49,977,468.555526 USDC into Harvest's USDC vault, and exchanged 51,456,280.788906 fUSDC at the unit price fUSDC/USDC=0.97126080216. The unit price before the attack was 0.980007, and now the unit price is 0.9712, which has dropped by about 1% month-on-month, which did not trigger the 3% red line set by the Harvest arbitrage strategy, so the transaction was valid and successful, and was not forced to recover.

• The attacker exchanged the remaining 17239234.653146 USDC back to 17,230,747.185604 USDT through the y pool; due to the recovery of the impermanent loss effect, the value of USDC in the Y pool decreased at this time, and the attacker obtained 17,230,747.185604 USDT.

• The attacker withdrew coins from Harvest’s USDC vault. Since the value of USDC in the Y pool dropped at this time, the unit price of fUSDC/USDC rose to 0.98329837664. The attacker exchanged all the previous shares of fUSDC (about 51.45 million) back to 50596877.367825 USDC. Moreover, USDC is completely paid by Harvest's USDC vault, and does not interact with Y pool at all, so it will not affect the USDC price in Y pool.

• After such an arbitrage, the attacker's net profit (excluding the loan fee of the flash loan) is 619408.812299 USDC. The attacker then repeated the process several times in the same transaction.

Within 4 minutes, the attacker executed 17 attack transactions against the USDC vault, and then used a similar method to attack the USDT vault, and completed 13 attack transactions within 3 minutes.

At 11:01:48 on October 26, Beijing time, the attacker transferred 13,000,000 USDC and 11,000,000 USDT from the attack contract to address 0x3811765a53c3188c24d412daec3f60faad5f119b.After the attack, many people commented on Harvest Twitter that they lost 15%-20% of their funds. Many KOLs also recommend that users withdraw funds from Harvest first to ensure the safety of funds.

According to Harvest statistics, the loss of users is not optimistic: the unit price of USDC treasury fell from 0.980007 to 0.834953, and the unit price of USDT treasury fell from 0.978874 to 0.844812, a decrease of 13.8% and 13.7% respectively;

The total value lost was approximately $33.8 million, or approximately 3.2% of the total value locked in the protocol prior to the attack.

secondary title

(2) Official attitude: In addition to remediation, the attacker can pay back the money

After the accident, the Harvest team issued a document stating that in order to protect users, measures have been taken to prevent deposits to stablecoins and BTC vaults, and existing deposits will continue to earn FARM.

According to the announcement this morning, Harvest has withdrawn all funds from the shared pool, including DAI, USDC, USDT, TUSD as well as WBTC and renBTC. These funds are currently held in vaults and are not subject to further market manipulation. In addition, DAI, TUSD, WBTC, and renBTC were not involved in this attack, and depositors of these vaults were not affected.

In addition, regarding user compensation, Harvest stated that the more than 2.47 million US dollars returned by the attacker will be distributed proportionally to the affected depositors through snapshots, and other remedies will be analyzed and voted on in governance.

This accident also exposed the shortcomings of the Harvest system mechanism.

According to the analysis of the SlowMist security team, the main reason for this attack is that fToken (fUSDC, fUSDT, etc.) used quotes from the Curve y pool when minting coins, which led to attackers controlling the amount of fToken minted by manipulating the price of the oracle through huge exchanges .

For quoting, the next step for Harvest is to use oracles to determine asset prices.

“While an approximate asset price can effectively be determined from an external oracle (provided by Chainlink or Maker), it is very loosely linked to the actual price. If the asset value within the underlying DeFi protocol differs from the oracle quote, the vault will Facing free arbitrage and flash loan attacks. This is not a Harvest solution, however, we will consider the use of oracles in the system design and possible mitigation strategies.”Moreover, in the future, Harvest Finance will implement a "submission-disclosure" mechanism for deposits to reduce flash loan attacks and increase the deposit arb configuration (the current threshold is set to 3%). In addition, Harvest Finance’s smart contract improvement plan, originally scheduled for October 27, will also be postponed so that its security can be reassessed in the context of an attack.

Regarding the attacker, Harvest Finance announced the address involved in the case, and issued a document saying, "In addition to the BTC address holding the stolen funds, we have now obtained a large amount of personally identifiable information about the attacker, who is quite well-known in the encryption community."

However, Harvest Finance does not appear to have any intention of going after the attackers

• identity information.

• "We are not interested in exposing the attacker's personal information, we respect your technology and ingenuity, as long as you return the money to the user. The attacker has proved their point. If they can return the money to the user, it will Highly appreciated by all sectors of the community, returning funds to affected users is the focus."

We are offering a $100,000 bounty to the first individual or team that helps us recover our funds.

If the return is made within the next 36 hours, the bounty is $400,000. Please do not dox the attackers in the process, and we strongly recommend focusing all efforts on ensuring user funds are successfully returned to the deployers.

Because the attacker has been monetizing through RenBTC. As of press time, Harvest Finance has officially announced that it has obtained the relevant RenBTC withdrawal address through cooperation with RenProtocol, and announced the BTC address exported through RenProtocol. It is now seeking help from trading platforms such as Binance, Huobi, OKEx, and Coinbase. Freeze related addresses.

secondary title

• (3) Harvest Finance, which is deeply involved in negative public opinion

• Because Harvest Finance's attitude towards attackers is relatively "ambiguous", many voices believe that the official guards against theft, and staged a big drama of thieves shouting "stop thief".

• Crypto KOL @Bitcoin questioned:

• In fact, there is nothing more profitable than directly grabbing the user’s principal. The total market value of FARM is 25 million, and 20% of the project party’s coins. Even if all the coins are sold out, it will earn 5 million. A profit of tens of millions. Combined with the project party's handling plan for this matter, I think there is indeed a high probability that the project party will steal from them, so they will definitely not use the money they made to fill this pit;

Hackers took risks and only stole tens of millions of dollars but did not directly drain the pool of hundreds of millions. Obviously they did not want the project to die, which was consistent with the interests of the team;

Some investors asked on Twitter if they could use part of the team's coins to compensate the victims. Harvest replied that the amount of funds was too large and he could not afford it. In fact, everyone knows that whether to pay or not and whether they can afford to pay are two different things. This team doesn't want to pay at all;Chris BlecAccording to investors, investors in the community have been reporting the continuous decline in the net value of fusd being arbitraged, but the team has turned a blind eye to this situation for more than a month and allowed the "hackers" to arbitrage.

CoinTelegraphThis is not the first time Harvest Finance has been caught in a crisis of public opinion.This reveals the risk: more than $1 billion in funds locked in the project contract is completely under the control of anonymous developers, and the development team is suspected of deliberately concealing this fact.

Currency printingCiting the audit report by security team Haechi, the report stated that,Harvest Finance has an administrative key that allows holders to mint tokens and steal users’ funds at will, possibly held by the anonymous developer behind the project.

Currency printing

Pan Zhibiao

He said that the biggest reason why Harvest did not enter the currency printing DeFi financial management is that they did not pass the risk control of currency printing. , using a quick-acting policy mechanism, but greatly sacrificing security.