Harvest Finance suffered the lightning loan attack this time mainly because fToken used the quotation in the Curve y pool when minting coins. Attackers could control the amount of fToken minted by controlling the price of the oracle through huge exchanges, thereby making profits.
Written by: Ad
At about 12 noon on October 26, the popular DeFi project Harvest Finance was exposed to hacker attacks. According to Twitter netizens, it is suspected that a hacker borrowed a flash loan and used 20 ETH to cash out over US$4 million from Harvest Finance.
After the news spread, the price of the FARM token of the Harvest Finance project fell by nearly 60% in a short period of time, and the lock-up volume of Harvest Finance and Curve decreased significantly. Up to now, the locked position of Curve is US$853 million, a decrease of 25.92% from yesterday; the locked position of Harvest Finance is US$585 million, a decrease of 47.27% from yesterday.
Lianwen sorted out relevant information and briefly analyzed the main points of Harvest Finance’s security incident.
In the end what happened?
According to the analysis of the SlowMist security team, the lightning loan attack of the Harvest Finance project is mainly because the fToken (fUSDC, fUSDT…) of Harvest Finance used the quotation in the Curve y pool (that is, the use of Curve as the source of price feed). ), the attacker can control the amount of fToken minting in Harvest Finance by manipulating the price of the oracle through huge exchanges, thus making the attacker profitable.
- The attacker transfers 20 ETH through Tornado.cash as the subsequent attack fee;
- The attacker borrowed a huge amount of USDC and USDT through UniswapV2 lightning loan;
- The attacker first uses Curve’s exchange_underlying function to change USDT to USDC. At this time, the investedUnderlyingBalance in the Curve yUSDC pool will be correspondingly smaller;
- The attacker then deposits a huge amount of USDC into the Vault through Harvest’s deposit, and at the same time, the Harvest’s Vault will cast fUSDC. The amount of casting is calculated as follows: amount.mul(totalSupply()).div(underlyingBalanceWithInvestment());
The underlyingBalanceWithInvestment part of the calculation method takes the value of the investedUnderlyingBalance in the Curve. The change in the investedUnderlyingBalance in the Curve will cause Vault to cast more fUSDC. - Then use Curve to change USDC to USDT to bring the unbalanced price back to normal;
- In the end, you only need to return fUSDC to Vault to get more USDC than when recharged;
- Then the attacker began to repeat this process to continue to make profits.
The other attack process is similar to the appeal analysis process. Refer to transaction hash:
0x35f8d2f572fceaac9288e5d462117850ef2694786992a8c3f6d02612277b0877
After the security incident, Harvest Finance updated Twitter after an initial investigation and said:
Just like other arbitrage economic attacks, this attack originated from a huge flash loan. The attacker repeatedly manipulated the price of one fund pool (Curve y Pool) to exhaust the funds in the other fund pool (fUSDT, fUSDC), and then converted the funds into renBTC and cashed out.
In addition, Harvest Finance officials also stated:
The attack was carried out through the Curve y pool. In order to protect users, Harvest Finance has deposited the y pool and BTC Curve strategy funds in the Vault. So far, all stablecoins and BTC funds are in the Vault (no longer deployed in the strategy). Other pools are not affected.
Harvest Finance also cooperated with RenProtocol and related 10 BTC addresses, hoping that trading platforms such as Binance, Huobi, OKEx and Coinbase would freeze them. It further stated:
In addition to the BTC address holding the stolen funds, we now have a lot of personally identifiable information about the attacker. He is quite well-known in the crypto community.
Follow-up impact
Due to the large amount of money involved in this security incident and its wide impact, the market has once again raised concerns about the security of DeFi projects. Shenyu, the co-founder of Cobo, stated on Weibo that in theory, all stablecoins on Harvest and single BTC mining CRVs have this risk, and everyone should pay attention to the withdrawal.
In the context of the spread of market panic, Debank data shows that the total lock-up value (TVL) of the DeFi market dropped from 14.998 billion US dollars on October 25 to 13.890 billion US dollars today. Among the top ten projects by lock-up volume, the four projects of Harvest, Curve, YFI, and Aave have fallen by more than 10%. Among them, Harvest dropped from a locked position of US$1.119 billion to US$585 million.
The sharp drop in locked positions has driven the trading volume of decentralized exchanges such as Uniswap. According to Uniswap’s official website, Uniswap’s trading volume has seen a sudden surge today, from yesterday’s 148 million US dollars to 2.11 billion US dollars, a 24-hour increase of 1267.91%.
The Block Research Director Larry Cermak tweeted that about 92% of the trading volume came from USDT/ETH trading pairs (48.3%) and USDC/ETH trading pairs (43.4%). They incurred USD 5.76 million in expenses for Uniswap’s LP.
According to data summarized by DeFi enthusiast jiecut, in this security incident, hackers’ operations on the chain have brought considerable revenue to some platforms. Among them, Uniswap’s LP income is nearly 6 million U.S. dollars; Curve LP can get about 1 million U.S. dollars; ETH Gas fee is up to 100,000 U.S. dollars; RenVM’s handling fee is 20,000 U.S. dollars.
According to official sources, the attacker has returned USD 2.479 million to the developer in the form of USDT and USDC, and the funds will be distributed proportionally to the depositors whose funds have been damaged through snapshots. Harvest Finance continues to tweeted that hackers would return the stolen funds, and offered a reward of $100,000 to reward the first individual or team who successfully contacted the attacker and helped return user funds.
Safety clues have already appeared
Before the attack, DeFi analyst Chris Blec revealed the huge risks of Harvest Finance. It pointed out that Harvest Finance has a management key that allows holders to mint tokens at will and steal users’ funds. As pointed out by PeckShield and Haechi, the project’s auditing companies, its governance parameters are not set by contracts with clearly defined rules. The management key may be held by the anonymous developer behind the project. Holders can mint an unlimited number of tokens and consume funds in the Uniswap pool of tokens.
At the same time, Chris Blec also said that the project may be trying to hide its audit reports from users. Because he found:
The URL of the Peckshield and Haechi Labs audit report links is incorrect, and all content before “ https://github.com …” should be deleted.
When Chris Blec discovered the problem and tried to contact the Harvest Finance community and developers to inquire about the ownership of the management key, he also suffered a verbal attack and was banned from joining Harvest Finance’s Discord community, and was blocked on Twitter.
latest progress
In the latest Twitter, the official stated that it will release an after-event report in the next 16 hours and formulate future crisis response strategies, including evaluating insurance plans and compensation strategies. Before press time, Harvest token FARM temporarily reported $101.35, a 24-hour drop of 56.7%.
