Key points:
Someone used a flash loan to earn $34 million from the Harvest liquidity pool.
Harvest announced that it was willing to pay $1 million to obtain conclusive evidence to help retrieve these funds.
However, Harvest has not yet proposed Plan B to compensate affected users.
Harvest Finance, a DeFi liquidity mining protocol, offered a $1 million bounty to find a hacker who earned nearly $34 million in revenue from its users over the weekend.
Harvest earlier offered a bounty of $100,000, then increased to a bounty of $400,000, and now it’s $1 million
In the previous attack, the attacker used a flash loan to artificially lower the prices of the stablecoins Tether and USDC on Harvest, and then snapped up the tokens from the liquidity pool at a bargaining price.
Therefore, the team of this DeFi project is working on several changes, including restrictions on lightning loans. Flash loans allow technology-savvy users to deposit and withdraw quickly at the same time, usually for price arbitrage, which is actually an attack. Since the asset value has been manipulated, Harvest referred to the attacker as “theft” in subsequent attack reports.
Although it can make up for the shortcomings of the agreement, Harvest Finance has not yet formulated a plan to compensate users, but said that it “is developing a remedial plan for the affected users.” At the same time, it issued a “modest request to return the funds to the deployer,” So that it can be assigned back to the user.”
In a tweet on October 26, Harvest hinted that its team knew who the attacker was, but was unwilling to deal with it. It proposed a $100,000 reward, followed by a $400,000 reward, to reward anyone who could persuade the person to return the funds.
But the attacker did not return it. Therefore, there is a greater reward this time. Harvest also admitted that it had no “conclusive evidence” to prove the identity of the attacker.
If the post of the agreement can be trusted, the plan to benefit the user as a whole is to get the funds back. It wrote on Wednesday: “Our main focus in week 9 is to recover funds from hackers and mitigate any lightning loan attacks that may affect users.”
However, an investigation into whether Tether and USDC depositors should be paid compensation through IOU tokens is ongoing. If it fails, the depositor of the agreement will bear part of the loss.
Harvest is also trying to avoid future attacks. It requires eight major exchanges to blacklist bitcoin addresses used by hackers, and at least one exchange is unwilling to do so. After the agreement was released, Jesse Powell, the founder of Kraken, wrote: “Don’t play with your DeFi scam and hope that the exchange will help you. I will not accept your attempt to deploy you rashly and recklessly. Attempt to externalize the cost.”
There is no doubt that Harvest is internalizing the results of its “engineering errors.” Its FARM token was trading at over $230 on Sunday and currently hovering around $100. Its 7-day drop was 61.8%, the largest drop among CoinGecko’s top 300 coins.
