In brief

  • Someone used a flash loan to make off with $34 million from Harvest liquidity pools.
  • Harvest is paying $1 million for hard evidence that leads to funds being returned.
  • It hasn't presented a Plan B for making affected users whole.

Harvest Finance, a DeFi yield farming protocol, is offering a $1 million bounty to find a hacker that made off with nearly $34 million from its users over the weekend.

Harvest had earlier offered a $100,000, then a $400,000 bounty.

The attacker used a flash loan to artificially deflate prices of stablecoins Tether and USDC on Harvest—and then snatch the tokens up at bargain-basement prices from liquidity pools.

As a result, the DeFi project’s team is looking into several changes, including restricting flash loans—which allow tech-savvy users to deposit and withdrawal funds simultaneously, usually for price arbitrage, which the attack essentially was. Harvest referred to it as "theft" within its attack post-mortem as the asset values had been manipulated.

While owning up to the protocol’s shortcomings, Harvest Finance has not yet laid out a plan for compensating users, but says that it’s “formulating a remediation plan for affected users.” In the meantime, it issued a “[humble] request that the funds are returned to the deployer so that it can be distributed back to the users.”

In an October 26 tweet, Harvest implied that its team knows who the attacker was but was unwilling to doxx them; it proposed a $100,000 reward, then a $400,000 one, to whoever could convince that person to return the funds. 

That hasn’t happened yet. Hence the larger reward. Harvest also admitted that it doesn’t have “hard proof” of the attacker’s identity.

If the protocol’s posts are to be believed, its plan for making users whole rests on getting the funds returned. It wrote on Wednesday: “Our main focus in Week 9 is to restore funds from the hacker and to mitigate any flashloan attacks that can affect users.”

There is, however, an ongoing poll about whether reparations should be paid to Tether and USDC depositors via an IOU token. If it fails, the depositors would be on the hook for a portion of the loss.

Harvest is also trying to make future attacks all but verboten. It asked eight major exchanges to blacklist Bitcoin addresses used by the hacker, which at least one exchange was reluctant to do. Subtweeting the protocol, Kraken founder Jesse Powell wrote: “Stop fucking up your bullshit DeFi scams and expecting exchanges to bail you out. I will not accept your attempt at externalizing the cost of your hasty, reckless rollout.”

Harvest is certainly internalizing the results of its “engineering error.” Its FARM token, which was trading for above $230 on Sunday, is currently hovering around $100. Its 7-day drop of 61.8% is the largest of any coin in CoinGecko’s top 300. 

Decrypt has reached out to Harvest for comment.