Early Monday, the latest decentralized finance (DeFi) project Harvest Finance, was exploited. It was estimated that $33.8 million of the funds, about 3.2% of the total value locked in the protocol before the attack, was lost.
A couple of days before the attack, the project’s TVL surpassed $1 billion, which has now come down to a mere $300 million, as per DeFi Pulse. Since then, its FARM token has also lost 60% of its value, currently trading at $96.5.
To catch the attacker, the anonymous team behind the project has increased the bounty for identifying the hacker from $400,000, which had already been raised from $100k to $1 million.
Initially, the team said they know the person behind the hack, “who is well-known in the crypto community,” and they don’t want to dox them. As per the latest update, all that the team knows about the hacker so far is that they have an understanding of how DeFi works.
How dare a hacker understand Defi principles. https://t.co/1mBwVXMRN8
— Impermanent Capital (@ledgerstatus) October 29, 2020
The attacker, meanwhile, is actively “money laundering” Bitcoin through various darknet mixers and crypto exchanges, including Binance, Huobi, Kraken, and Coins.ph, according to the post mortem of the incident.
1. Swap 11.4m USDC to USDT -> USDT price up
2. Deposit 60.6m USDT into Vault
3. Exchange 11.4m USDT to USDC -> USDT price down
4. Withdraw 61.1m USDT from Vault -> 0.5m profit
5. Rinse and repeat
— Valentin Mihov (@valentinmihov) October 26, 2020
Following the attack, funds from the shared pools, DAI, USDC, USDT, TUSD, WBTC, and renBTC, which were “not affected,” have been withdrawn.
The Harvest Finance team further said that it is taking full responsibility for the engineering error and is now working on a remediation plan for affected users.
The possible remediation techniques the team is considering include implementing a commit-and-reveal mechanism for deposits, stricter configuration of the existing deposit arb check in the strategies, withdrawals in an underlying asset, and using oracles for determining asset price. The team stated,
“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”