The strange case of Harvest Finance October 21-28


We were adorned with another typical “Degen Yield Farm” that popped in and out of relevance this week.

Harvest Finance raised a total of up to $ 1 billion in value before an “economic exploit” caused it to collapse. The valued move is now $ 300 million and the prospects for a recovery look bleak.

Related articles

The exploit has once again sparked debate among members of the DeFi community as to whether these types of flash loan arbitrage attacks are actually hacks.

Harvest characteristics result in agricultural vaults similar to those of Yearn. They issue tokenized vault shares based on the value of user-provided assets. Some of these vaults rely on Curve’s Y-Pool, which drives liquidity for swaps between USDT, USDC, DAI and TUSD.

The attack used Flash Loans to convert USDT 17M to USDC via Curve, temporarily raising the USDC price to USD 1.01. The attacker then used another stash of approximately $ 50 million on loan from Flash, which the system believed was worth $ 50.5 million, to get into the Harvest USDC vault.

Upon entry, the attacker reversed the previous USDC trade back into USDT to balance the price, then immediately redeemed his shares in Harvests Pools to receive USDC – $ 50.5 million Net profit of $ 500,000 per cycle repeated so many times to make $ 24 million in loot.

So is this a hack or not?

There were no technical weaknesses here. A bypass test was performed on these types of “arbitrage” to determine if the price of these stable coins was too far from their intended value. But it was already set pretty low and it’s more of a slight inconvenience than an actual blocker – an attacker just needs to use more exploitation cycles.

This sequence is dizzying and still skips many steps.

With that in mind, proponents of the theory that this is just an arbitrage trade are correct – there is no unintended behavior in the code, it’s more like rigged market manipulation with weapons repeated at speed.

The Harvest Finance team nevertheless took responsibility for it as a design flaw, which is commendable.

In all honesty, I’m not even sure what these semantic debates are about. People lost money in avoidable ways. An audit should capture this and mark it as a critical problem.

However, it has to be definitely justified that it is a different category than bugs like re-entry. It is emphasized that these financial building blocks – often referred to as “money Lego” – must be designed with the greatest care on the drawing board.

It’s like someone made a gun out of Lego parts and people were arguing whether the gun was “made” or “discovered” because the parts were technically assembled as planned. In any case, the Lego pieces should be reworked so that they don’t become a deadly weapon.

A little too much trust for crypto standards

Before the hack, Harvest was known for its extreme level of centralization. In its heyday, the entire billion US dollars could have been stolen from a single address, most likely controlled by the anonymous team behind the project. A couple of audits have highlighted this fact and also made it clear that the address could nominate Minters and create tokens at will.

Fans of the project vigorously defended it, saying that due to the time lock, the holders of governance keys could steal the money only 12 hours after their intentions were signaled or that they could only print a limited number of tokens.

I will let you judge these arguments. The other point is that those “degens” in search of income ignore the basic principles of decentralization and know what DeFi is about.

And I’m not saying that it is bad because of some idealistic principles that I have. It is due to the carpet. These are the exact circumstances that led to disasters like UniCats.