Decentralized yield farming protocol Harvest Finance has lost $24 mln after being successfully exploited by a hacker. $2.5 mln has been already sent back to the deployer.
Whoever hacked the protocol is currently converting his or her ill-gotten gains to renBTC, a popular synthetic version of Bitcoin, and Tornado Cash, a zkSNARKs-based privacy tool for obfuscating Ethereum transactions.
In its statement, Harvest Finance explains that the attack was carried through the Curve Finance Y pool that allows earning interest by depositing stablecoins and Bitcoin:
“The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.”
All of the protocol’s stablecoin and Bitcoin strategy funds have been withdrawn to its vault.
Harvest Finance’s FARM governance token has collapsed over 60 percent, according to CoinGecko data.
DeFi Pulse data also shows that the protocol has hemorrhaged over $369.8 mln worth of total value locked.
The attack underscores the fragility of DeFi protocols that routinely face similar attacks. Entrepreneur and quant trader Qiao Wang calls the Harvest Finance incident “a huge setback” for DeFi:“Really wanted to see anon/pseudon teams succeed in crypto but so far we still only have BTC and arguably XMR I think. Harvest is a huge setback for anon DeFi.”
Prior to the hack, the Chinese protocol would face plenty of criticism due to its centralized key management model, with its anonymous founders singlehandedly controlling over $1 bln of assets.
Some of the protocol users are complaining about being kicked from the protocol’s Discord channel after asking about the attack.