Harvest Finance Hack Analysis & POC

NEWSLETTER

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content

    Share:

    Introduction

    Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool. This attack was also possible on other f-pools using the same set of steps described below. But the attacker chose not to continue. If the attack had continued, the attacker would have walked away with ~$400M worth of assets. 

    Harvest is a type of yield farming protocol the same as YFI (Yearn Finance). It gathers yields from various lending protocols and optimizes for the maximum gain to return to depositors. The attacker performed an arbitrage attack by using a large flash loan.

    The Exploit

    Detailed Transaction Trace

    https://ethtx.info/mainnet/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1/

    We will be focusing on this specific transaction to understand the hack. 

    https://etherscan.io/tx/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1

    1. The attacker deploys a contract & pre-funds it with 10.69M USDT & 11.435M USDC 
    2. The attacker took flashloan of 50M USDT from the Uniswap v2 USDT-WETH pair.
    3. The attacker then swaps 11.425M USDC for 11.407M USDT. Now the contract has 60.66M USDT.
    4. A total of 60.66M USDT are then deposited to the fUSDT pool to get 71668595794204 fUSDT tokens.
    5. The attacker then swaps 11.437M USDT back for USDC.
    6. The attacker withdraws the deposited fUSDT to claim 61.1M USDT which is more than what was originally deposited i.e 60.6M USDT. Gaining profit of approximately 0.5M.
    7. The attacker repeatedly called steps 3-6 4 times to gain profit.

    Try It Yourself!

    We have put together a GitHub repository to reproduce the attack. Here is the Github repo:

    https://github.com/abdulsamijay/Defi-Hack-Analysis-POC/tree/master/src/harvest-finance

    More Weblogs

    Web2 Security vs Web3 Security: An Innovative Adaptation?

    Web 3.0 is a semantic web where it promises to establish information in a better-existing way than any current search engine can ever attain. Web 3.0 promotes four concepts which mainly are authenticity, i.e, every piece of information existing on the internet is a fact or derived from a fact. Integrity, willingness to abide by moral principles, and ethical values. Transparency, the data present on the internet is accessible for every user to witness. Lastly, Confidentiality which is achieved by Blockchain technology, where every user’s identity is anonymous, making it secure. 

    A Security Framework For Blockchain Applications

    When creating a blockchain application it is really essential that all the security measures are taken into account.

    The State of Startups Security in Pakistan

    The security team at BlockApex decided to test these applications for vulnerabilities that could compromise their data. We knew that the software industry in Pakistan always keeps security out of their toolkit to reduce the cost of development.

    Designed & Developed by: 
    All rights reserved. Copyright 2020-21