Defi Protocol Harvest Finance Hacked for $24 Million, Attacker Returns $2.5 Million

Decentralized finance (defi protocol) Harvest Finance was hacked on Monday for $24 million. The attacker targeted the protocol’s liquidity pools, performing an arbitrage attack using a large flash loan – a type of uncollatarized loan – but later returned $2.5 million. In seven minutes, the hack was complete.

Harvest Finance revealed that the hacker “manipulated prices on one money lego (curve y pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.”

RenBTC is a bitcoin-backed token used on the Ethereum blockchain.

Farm, Harvest’s native token, fell 54% to $101.79 on the news, according to Coingecko data. Following the attack, the amount of money locked in the protocol also crashed to $575 million from $1 billion on Oct. 25, as fretful investors pulled their deposits.

Harvest provided a list of 10 bitcoin addresses of the hacker, where it believes the stolen funds may have been moved. It also asked exchanges like Binance, Coinbase, and Huobi to block the attacker’s addresses.

The three-month-old platform said that there is a “significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.” Not willing to dox the cyber-thief, Harvest Finance is now offering a $100,000 bounty “for the first person or team to reach out to the attacker”.

The $2.5 million returned by the hacker will be “distributed to the affected depositors pro-rata using a snapshot,” Harvest tweeted.

Harvest’s hack comes just six weeks after an attacker made off with $8.1 million in bitcoin from another defi protocol, Bzx. However, Bzx managed to recover the funds.

What do you think about the Harvest Finance hack? Share your thoughts in the comments section below.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.