Hacker stole $24 million worth of cryptocurrency from Harvest Finance

Harvest Finance confirmed the loss of $24 million: the hacker returned $2.5 million later

Hacker managed to steal $24 million from Harvest Finance.

An unknown cybercriminal has stolen $13 million worth of USD Coin (USDC) and $11 million worth of Tether (USDT) from decentralized finance (Defi) service Harvest Finance. The company almost immediately announced the fact on its Twitter page and Discord channel. Harvest Finance^[1] is a webpage that lets users invest cryptocurrencies and then automatically farm the highest price variations for small profit yields.

According to administrators, a hacker managed to stole funds after investing huge quantities of cryptocurrency assets in the Harvest Finance platform and then using a cryptographic exploit to siphon service's funds to the hacker's wallet. Specialists from Harvest Finance said:^[2]

The attacker repeatedly exploited the effects of impermanent loss of USDC and USDT inside the Y pool on Curve.fi. They used the manipulated asset value to deposit funds into the Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit.

However, just two minutes after the cyber attack, the hacker decided to return $2.5 million back to the company.^[3] It is still unclear why the cybercriminal returned the funds.

Developers of Harvest Finance responsible for the attack due to an engineering mistake

The company not only immediately confirmed the attack but also took full responsibility for the loss of $24 million. Developers of Harvest Finance said that they made an engineering mistake that was exploited by a well-known hacker in the crypto community. The company also assured that its specialists know all seven bitcoin wallets holding the attacker's funds.

Moreover, Harvest Finance explained, that the company withdrew all the funds from shared pools. All money is currently kept in the vaults in order to prevent further market manipulation. Also, developers assured that DAI, TUSD, renBTC, and WBTC were not involved in this attack, therefore depositors in these vaults were not affected.

Unfortunately, even after these actions, the total value locked in Harvest Finance dropped heavily. According to Defi Pulse,^[4] the value dropped from more than $1 billion on October 25 to less than $400 million on October 28.

Harvest Finance is offering a huge reward for anyone who finds a way to return the stolen money

The company is not only trying to strengthen the security of its service but also is offering a bounty^[5] to anyone who finds a way to return the stolen funds to its users. $400,000 bounty is valid for 36 hours from the attack that happened on October 26. After that, the bounty will be lowered to $100,000.

However, developers warned that they are only interested in recovering the money:

Please do not doxx the attacker in the process. We strongly advise to focus all efforts on ensuring that user funds are successfully returned to the deployer.

Moreover, they even publicly asked the hacker to return funds to affected users and admitted that cybercriminal has proven his point.^[6] Unfortunately, Harvest Finance developers' plea was ignored and they are still trying to fix the damage.