October 30, 2020
By Sam Grant
Harvest Finance suffered a huge loss of $34 million at the beginning of this week and is offering a reward to track down the attacker
The $1 million bounty will be paid to anyone who provides hard evidence that leads to recovering the stolen funds. Harvest Finance initially offered two rewards but seeing as nothing came of them, the firm’s DeFi protocol is upping its reward.
How the funds were stolen
The yield farming protocol lost $34 million after an attacker used a flash loan to drain Harvest Finance’s liquidity pools. It is reported that the attacker manipulated the value of Harvest Finance’s reserves in Curve. The flash loan subsequently deflated the prices of Tether and USDC on Harvest.
The attacker then proceeded to grab the tokens from liquidity pools for far less than they were worth. On Monday morning it was thought that the attacker had walked away with around $24 — but Harvest Finance updated the figure through a blog post later in the day.
The DeFi firm acknowledged the error and accepted the mistake in the blog post saying, “We made an engineering mistake, we own up to it.” Harvest Finance’s team is currently considering a number of changes to prevent a future incident. It is likely that the project’s team will restrict flash loans as part of these measures.
The protocol is yet to provide an outline for how it plans to compensate its users. The team, however, said it was currently formulating a remediation plan.
On Monday, the Harvest Finance team claimed to know the identity of the attacker but declined to make it public. The company then set a reward of $100,000, and later $400,00o, to anyone that could convince the attacker to return the funds.
Harvest Finance has since admitted it lacks substantial proof of the identity of the attacker. Based on the post made by the protocol so far, compensation for users hinges on the stolen funds being recovered.
“Our main focus in Week 9 is to restore funds from the hacker and to mitigate any flash loan attacks that can affect users.”