An arbitrage trade exploiting weak spots in the decentralized finance (DeFi) protocol Harvest Finance resulted in the embezzlement of some $ 24 million in stablecoins from the project pools on Monday, according to CoinGecko.
According to reports, an attacker used a flash loan – a technique that allows a trader to take massive leverage without any inconvenience – to manipulate DeFi prices for profit. The exploit brought down the platform’s native token, FARM, by 65% in less than an hour, followed by the total locked-in value of the project (TVL), which fell by over $ 1 billion. before the feat at $ 430 million at the time of publication.
The funds were eventually exchanged for bitcoin (BTC), but not before being scanned by the Ethereum Tornado Cash mixing service.
Mixing the pieces didn’t leave the Harvest Finance team in the dark for long. The person behind the exploit “is well known in the crypto community” after leaving “a significant amount of personally identifiable information,” according to the project’s Discord. The seven bitcoin wallets containing the attacker’s funds are also known.
The anonymous developers behind the project don’t want to complicate the party but instead offer a $ 100,000 bounty to convince the attacker to return the funds.
“For the attacker: you have proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many passers-by,” the team said via Discord.
The exploit itself was executed by a series of arbitrage transactions between the DeFi Uniswap, Curve Finance and Harvest Finance protocols, according to Etherscan. The attacker began by taking out a USC $ 50 million flash loan from Uniswap. Then they started trading between the USDT and the tether (USDT) to make the prices of the two tokens fluctuate.
The price of USDT started to fall on Harvest Finance as the attacker traded tokens back and forth. The attacker then traded discounted USDT for stablecoins taken out as part of the flash loan. The perpetrator committed the act on several occasions. Each successful exchange was then turned into Ether (ETH) then tokenized bitcoin (WBTC and renBTC, in that order) and finally BTC, according to Zerion.
Interestingly, some $ 2.5 million was sent back to the Harvest Finance contract. The developer team said the funds will be distributed on a pro rata basis to affected users. The token price rebounded slightly, down 49% in 24 hours to $ 126.82, according to CoinGecko. The exploit joins a group of similar flash-loan-based arbitrage transactions conducted against DeFi apps in 2020. For example, the bZx lending platform was the first to be hit by a flash-loan exploit in February. 2020.