Harvest Finance Hack Analysis & POC

NEWSLETTER

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content

    Share:

    Introduction

    Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool. This attack was also possible on other f-pools using the same set of steps described below. But the attacker chose not to continue. If the attack had continued, the attacker would have walked away with ~$400M worth of assets. 

    Harvest is a type of yield farming protocol the same as YFI (Yearn Finance). It gathers yields from various lending protocols and optimizes for the maximum gain to return to depositors. The attacker performed an arbitrage attack by using a large flash loan.

    The Exploit

    Detailed Transaction Trace

    https://ethtx.info/mainnet/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1/

    We will be focusing on this specific transaction to understand the hack. 

    https://etherscan.io/tx/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1

    1. The attacker deploys a contract & pre-funds it with 10.69M USDT & 11.435M USDC 
    2. The attacker took flashloan of 50M USDT from the Uniswap v2 USDT-WETH pair.
    3. The attacker then swaps 11.425M USDC for 11.407M USDT. Now the contract has 60.66M USDT.
    4. A total of 60.66M USDT are then deposited to the fUSDT pool to get 71668595794204 fUSDT tokens.
    5. The attacker then swaps 11.437M USDT back for USDC.
    6. The attacker withdraws the deposited fUSDT to claim 61.1M USDT which is more than what was originally deposited i.e 60.6M USDT. Gaining profit of approximately 0.5M.
    7. The attacker repeatedly called steps 3-6 4 times to gain profit.

    Try It Yourself!

    We have put together a GitHub repository to reproduce the attack. Here is the Github repo:

    https://github.com/abdulsamijay/Defi-Hack-Analysis-POC/tree/master/src/harvest-finance

    Also read Pickle Finance Hack Analysis & POC.

    More Hack Analysis

    DEUS DAO - Hack Analysis (May 6, 2023)

    The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

    Cream Finance Hack: What Motivates Hackers to Return Stolen Funds?

    From an outsider’s perspective, returning millions of dollars worth of funds after successfully pulling off a complicated exploit is, at best, admirable, and at worst, foolish. What could be the motivation behind such a decision?

    Beanstalk Hack Analysis & POC (Apr 17, 2022)

    Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

    Designed & Developed by: 
    All rights reserved. Copyright 2023