Harvest Finance has been prey to a $34M flash loan attack and now saying sorry for the “engineering error,” committed to change, and requests that the thief return the stolen money. Yesterday, Harvest Finance described how the attacker stole the USDC and USDT reserves from the vaults into which Harvest’s investors have been locked. It has also been updated that the total amount stolen was previously thought to be close to $24M.
The attacker gave themselves a flash loan that allowed them to briefly manipulate the value of Harvest Finance’s reserves held in Curve, another DeFi protocol. The flash loans drove down the prices of USDT and USDC on Harvest and then permitting the attacker to buy the tokens for far less than they were worth. This enabled them to pay back the flash loans and earn on the side.
The attack has caused the price of Harvest’s token, FARM, to plummet. It dropped from $242 last Sunday to $100 currently. In a recent blog post, the Harvest team stated, “We made an engineering mistake, we own up to it.”
To prevent this from happening again, Harvest has projected a couple of solutions. The first is to make it impossible to deposit and withdraw funds in a single transaction. The second is to convert the withdrawals of curve tokens to stablecoins in separate transactions.
Meanwhile, the protocol’s creators resolve the weakness; they want the money back. “The attacker has proven their point. If they can return the funds to the users, it would be greatly appreciated by the community,” they said in the blog post.
Harvest is now offering a bounty worth $100,000 to the person that will convince the attacker to return the funds or $400,000 in the coming 36 hours.