Harvest Finance, the decentralized finance robo-advisor that fell prey to a $34 million flash loan attack, is sorry for the “engineering error,” committed to change, and kindly requests that the thief return the stolen money.
In a blog post yesterday, Harvest Finance described how the attacker stole USDC and USDT reserves from the vaults into which Harvest’s investors had locked funds. It also updated the total amount stolen, which was previously thought to be closer to $24 million.
The attacker issued themselves a flash loan that allowed them to temporarily manipulate the value of Harvest Finance’s reserves held in Curve, another DeFi protocol. The flash loans drove down the prices of USDT and USDC on Harvest, allowing the attacker to buy these tokens for far less than they’re worth. This let them pay back the flash loans and make a profit on the side.
The attack caused the price of Harvest’s token, FARM, to plummet. It fell from $242 on Sunday to $100 today, according to data from CoinMarketCap. “We made an engineering mistake, we own up to it,” said the Harvest team in their blog post today.
To stop this from happening again, Harvest has proposed a couple of solutions. First, to make it impossible to deposit and withdraw funds within a single transaction—i.e. get rid of flash loans, which do just that. Second, converting withdrawals of curve tokens to stablecoins in separate transactions—i.e. minimize the damage of a flash loan.
While the protocol’s creators solve the vulnerability, they want the money back. “The attacker has proven their point. If they can return the funds to the users, it would be greatly appreciated by the community,” they said in the blog post (reiterating an earlier plea via Twitter).
For the attacker: you've proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar
— Harvest Finance (@harvest_finance) October 26, 2020
Harvest is offering a $100,000 bounty to the person who convinces the attacker to return the funds, or $400,000 in the next 36 hours. “Please do not doxx the attacker in the process.” Perhaps there’s honor among degens, after all.