decrypt.co
Harvest Finance, a DeFi yield farming protocol, is offering a $1 million bounty to find a hacker that made off with nearly $34 million from its users over the weekend.
Harvest had earlier offered a $100,000, then a $400,000 bounty.
The attacker used a flash loan to artificially deflate prices of stablecoins Tether and USDC on Harvest—and then snatch the tokens up at bargain-basement prices from liquidity pools.
💵Increasing the bounty for tracking down the attacker and returning the funds to $1M
Here's what we know about the attacker:
1) understands flashloans
2) understands arbitrage and trading
3) understands curve internal code
4) understands renBTC
5) understands opsec1/2
— Harvest Finance (@harvest_finance) October 29, 2020
As a result, the DeFi project’s team is looking into several changes, including restricting flash loans—which allow tech-savvy users to deposit and withdrawal funds simultaneously, usually for price arbitrage, which the attack essentially was. Harvest referred to it as "theft" within its attack post-mortem as the asset values had been manipulated.
While owning up to the protocol’s shortcomings, Harvest Finance has not yet laid out a plan for compensating users, but says that it’s “formulating a remediation plan for affected users.” In the meantime, it issued a “[humble] request that the funds are returned to the deployer so that it can be distributed back to the users.”
In an October 26 tweet, Harvest implied that its team knows who the attacker was but was unwilling to doxx them; it proposed a $100,000 reward, then a $400,000 one, to whoever could convince that person to return the funds.
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
We are putting out a 100k bounty for the first person or team to reach out to the attacker
— Harvest Finance (@harvest_finance) October 26, 2020
That hasn’t happened yet. Hence the larger reward. Harvest also admitted that it doesn’t have “hard proof” of the attacker’s identity.
We have no direct hard proof.
Getting the direct hard proof leading to the return of funds is the point of the $1M bounty.
— Harvest Finance (@harvest_finance) October 29, 2020
If the protocol’s posts are to be believed, its plan for making users whole rests on getting the funds returned. It wrote on Wednesday: “Our main focus in Week 9 is to restore funds from the hacker and to mitigate any flashloan attacks that can affect users.”
There is, however, an ongoing poll about whether reparations should be paid to Tether and USDC depositors via an IOU token. If it fails, the depositors would be on the hook for a portion of the loss.
Harvest is also trying to make future attacks all but verboten. It asked eight major exchanges to blacklist Bitcoin addresses used by the hacker, which at least one exchange was reluctant to do. Subtweeting the protocol, Kraken founder Jesse Powell wrote: “Stop fucking up your bullshit DeFi scams and expecting exchanges to bail you out. I will not accept your attempt at externalizing the cost of your hasty, reckless rollout.”
Stop fucking up your bullshit DeFi scams and expecting exchanges to bail you out. I will not accept your attempt at externalizing the cost of your hasty, reckless rollout. Invest in audits, insurance and please DYOR. Taking your losses is the only way to enlightenment.
— Jesse Powell (@jespow) October 26, 2020
Harvest is certainly internalizing the results of its “engineering error.” Its FARM token, which was trading for above $230 on Sunday, is currently hovering around $100. Its 7-day drop of 61.8% is the largest of any coin in CoinGecko’s top 300.
Decrypt has reached out to Harvest for comment.