We warned you that DeFi will end in tears. Flash crashes, problems with liquidity pools, faulty smart contracts; they all play a role. Now the Harvest Finance DeFi protocol was hacked, proving that attackers can leverage multiple weaknesses in yield farming to take profits.
How did a Hacker Steal from Harvest Finance?
To understand the Harvest Finance hack, it is necessary to go through the facts:
- The attacker manipulated prices on one pool – curve y – to drain another pool – fUSDT
- To cash out, the hacker converted the funds to renBTC
- Then he cashed out to Bitcoin
- This is called an arbitrage attack
- That hacker managed to rain an equivalent of $24 million USD from Harvest Finance
- FARM, which is Harvest Finance’s token, dropped by more than 50% following the attack
- The attacker decided to give $2.5 million USD back
- Harvest Finance will distribute that money to the people affected
If you read this carefully, you might be asking yourself, where is the hack? How can anyone label this as an attack?
Arbitrage is Baked into DeFi
After all, arbitrage is a feature of DeFi. You should be able to get a “loan” on a collateral and look for the best API on the money you got to profit. That is basically how DeFi works.
Well, maybe Harvest Finance specifically is not supposed to work like that within its own pools. That is why you can call this an attack. Nevertheless, the people that developed Harvest Finance baked this flaw into the system. Therefore, the word hack, or the word attack, might be misleading.
DeFi Protocol Exploits Shouldn’t Surprise Anyone
We prefer to call it an exploit, and these are more common than you would think on Ethereum. Long before DeFi, the DAO faced an attack. The “hacker” in that case exploited a flaw in the smart contract and drained funds from it.
Ethereum’s Vitalik Buterin famously advocated for a fork that effectively reversed all the transactions in that blockchain up to the point immediately before the DAO attacker drained the smart contract.
From that point onwards, throughout the ICO era and into DeFi, we know that attackers are bound to find more exploits, be them economic or code based.
Don’t be Fooled!
So, if it happened so many times and there are so many vulnerabilities, why do people still put their funds in these DeFi platforms? They might be aware of the risks and willing to run them at the very least.
By now you should be aware of these risks as well. You should also understand that a smart contract audit wouldn’t necessarily flag this kind of economic risk. If you invest after seeing an audit but you do not have the skills to audit the contract yourself, you are taking a risk you might not be aware of.
That is just another reason to stay away from DeFi. If you read this and still want to try Harvest Finance or any other DeFi protocol, then at least you know that you are exposed to arbitrage attacks as well, no matter how much they tell you otherwise.