Decentralized finance (defi protocol) Harvest Finance was hacked on Monday for $24 million. The attacker targeted the protocol’s liquidity pools, performing an arbitrage attack using a large flash loan – a type of uncollatarized loan – but later returned $2.5 million. In seven minutes, the hack was complete.
Harvest Finance revealed that the hacker “manipulated prices on one money lego (curve y pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.”
RenBTC is a bitcoin-backed token used on the Ethereum blockchain.
Farm, Harvest’s native token, fell 54% to $101.79 on the news, according to Coingecko data. Following the attack, the amount of money locked in the protocol also crashed to $575 million from $1 billion on Oct. 25, as fretful investors pulled their deposits.
Harvest provided a list of 10 bitcoin addresses of the hacker, where it believes the stolen funds may have been moved. It also asked exchanges like Binance, Coinbase, and Huobi to block the attacker’s addresses.
The three-month-old platform said that there is a “significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.” Not willing to dox the cyber-thief, Harvest Finance is now offering a $100,000 bounty “for the first person or team to reach out to the attacker”.
The $2.5 million returned by the hacker will be “distributed to the affected depositors pro-rata using a snapshot,” Harvest tweeted.
Harvest’s hack comes just six weeks after an attacker made off with $8.1 million in bitcoin from another defi protocol, Bzx. However, Bzx managed to recover the funds.