Ethereum Defi Dapp Harvest Flashloan “Attacked,” Funds Gone to Binance

A defi dapp with more than half a billion in locked assets says it was economically attacked through a flashloan.

“The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest,” they said in an announcement, adding:

“At this point… to protect users, 100% of Stablecoin and BTC curve strategy funds have been withdrawn from the strategy to the vault.

Next: to protect users, we are moving to block deposits to the Stablecoin and BTC vault. Existing deposits will continue to earn FARM.

Like other recent flash loan attacks, the attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC.

This will be distributed to the affected depositors pro-rata using a snapshot.

Action steps complete:

1) All funds withdrawn from curve to vault
2) Deposits disabled for stablecoins and BTC
3) fUSDC share price: 0.834998
fUSDT share price: 0.844731
4) TUSD, DAI, WBTC, RENBTC and other deposits are not affected
5) All existing vaults are stabilized

Next, we are working on tracking the attacker. Flashloan attacker’s BTC addresses:

1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn

All of the hacker’s funds are in those BTC wallets.

In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.

We are putting out a 100k bounty for the first person or team to reach out to the attacker and help the attacker return the funds to the deployer address.

We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users.

We will release a post mortem report within the next 16 hours, and work on future risk-mitigation strategies against flashloan economic attacks, including evaluating insurance options, as well as reparation strategies.

For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”

They claim: “Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times.

The attacker then converted the funds to renBTC and exited to BTC.

Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end.”

According to Julien Bouteloup, an ethereum developer, this was an arbitrage opportunity that led to the gain of some $24 million with $2.4 million returned.

No hacker.Just a simple* $24M (0x53f) juicy arb on @harvest_finance

$50M USDC flash loan @UniswapProtocol
Swap $11M (USDC/USDT) @CurveFinance
~61M on fUSDT Vault
Swap $11M USDT/USDC yUSDT
Withdraw $61M with $0.5M profit
Repeat & clean into @TornadoCash https://t.co/nFTuyU3s6w pic.twitter.com/2oXQ2PsY32
— Julien Bouteloup (@bneiluj) October 26, 2020

The team does not seem to be very responsive on their discord currently, but there are suggestions 23 BTC has been sent to Binance. We haven’t verified it.

Ethereum’s price fell to $404 while Farm, Harvest’s token, dropped from $230 to below $100 before currently trading at $115.

Article updated with an explanation of the “attack.”