Harvest Finance, what was back in the day a $1 billion yield farming protocol on Ethereum, endured a malicious cyberattack last week that cleared approximately $30 million from user accounts.
The pseudonymous cyberattacker handled a flash loan, along with a set of devious transactions between Curve, Uniswap, and Harvest, that enabled them to dump millions of dollars worth of stablecoin from Harvest’s pools.
Reports show that the hacker could have kept on going and withdrawn close to $1 billion of stablecoin and tokenized Bitcoin deposits in the protocol but opted against doing so for an unexplained reason.
This cyberattack emphasized how flash loans could be utilized to exploit weak economic points within DeFi protocols and pool to the tune of millions of dollars.
It’s unclear whether or not he was inspired by the Harvest Finance attack, a security researcher in the space found a similar economic flaw within Yearn. finance, the original yield aggregator. Luckily, instead of exploiting this flaw, he announced it to the Yearn.finance team.
Yearn.finance developers rapidly fix bug
As reported by lead Yearn.finance developer Artem “Banteg” K, on Oct. 29, the team behind the protocol was contacted by security researcher Wen-Ding Li through the requisite security disclosure channels.
Wen-Ding Li described a potential attack vector of a flash loan attack that could take place on Yearn. finance’s TUSD Vault. Yearn.finance’s core product is its Vaults, which operate strategies that automatically yield farm with the deposited token in each Vault.
“HAVING ESTABLISHED CONTACT, WEN-DING DISCLOSES THAT HE HAS AN INITIAL PROOF OF CONCEPT OF A FLASH LOAN ATTACK THAT CAN BE MOUNTED ON THE TUSD VAULT, RESULTING IN AN 18% LOSS TO USERS, WITH THE ATTACKER BEING ABLE TO WALK AWAY WITH 650K TUSD.”
The speculative attack vector was similar to the Harvest one in that this Yearn. Finance Vault did not correctly account for slippage within the Curve when depositing and entering, allowing them to manipulate the price of stablecoins on Curve to their advantage.
As Banteg explained further:
“COMBINED, THIS MEANT THAT AN ATTACKER COULD CRUNCH THE DAI SUPPLY IN THE CURVE’S Y POOL, AND PROFIT FROM THE IMBALANCE CAUSED AS OUTLINED BELOW.”
Fortunately, the exploit was quickly patched, and the Vault is no longer vulnerable.
Allegedly, Yearn.finance’s Vaults for DAI and GUSD were vulnerable to the same vector of attack, but the proper measures were to avoid this from transpiring.
This attack vector appears soon after another was patched. Declared at the end of September, developers patched a “vulnerability [that] could have put funds of the yDAI, yTUSD and yUSD vaults at risk.“