CryptoMode Harvest.Finance Hack

Defi protocols have proven to be a prone target for hackers and other criminals. In the case of Harvest.Finance, a significant amount of funds has been drained from the smart contract. Surprisingly, some of it has been “sent back”, raising a lot of questions in the process. 

Harvest.Finance Flashloan Attack

Over the past few months, there have been multiple incidents involving DeFi platforms and services. In some cases, the team pulls an exit scam, which is par for the course. Other times, someone successfully finds a way to disrupt services and steal millions of dollars. For Harvest.finance, this latter type of attack is now proving to be quite the headache. 

To put everything into perspective, a flash loan “attack’ is performed against the DeFi platform. This has allowed the culprit to siphon off roughly $24 million in assets. Most of this funds has been cashed out by converting it to renBTC and using the Tornado service. Such an approach is not entirely abnormal, as hackers know the funds they steal will be flagged incredibly quickly. 

Making matters even more interesting is how the alleged “hacker” sent $2.5 million back to the Harvest.Finance team. This is not entirely abnormal either, but always raises questions. There is no incentive for a hacker to steal money and send 10% back. These people do not have “goodwill” by any means. 

By performing a large flashloan attack, lenders can manipulate prices on certain liquidity pools. In this case, the target was the Curve Y pool, which was leveraged to drain funds – fUSDT and fUSDC – multiple times. Eventually, everything was wrapped into renBTC and then allegedly siphoned off in Bitcoin. 

Bitcoin is King and Doxxing is Real

Converting the stolen funds to Bitcoin is an interesting decision. At the same time, it is the only chain that will not have third parties “freeze funds” on a whim. Ethereum’s smart contracts allow for coders to effectively freeze funds and transactions. While it can help address situations like these, it’s also problematic in many other ways. 

The downside to converting to Bitcoin is how everything becomes more public. According to Harvest.Finance, there is “a significant amount of personally identifiable information on the attacker”. Ultimately, this will lead to the attacker being doxxed. A very risky approach, as this often results in a virtual witch hunt. Moreover, it wouldn’t be the first time to see the wrong person being identified either. 

Making matters worse is how the Harvest.Finance team offers $100,000 to the person reaching out to the attacker. All they want – on the surface – is to see funds returned. Such a large bounty seems to indicate something else is going on entirely. A very problematic situation that reinforces the need for revising significant parts of the current DeFi ecosystem.


Looking to advertise? We will gladly help spread the word about your project, company, or service. CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: [email protected]