Harvest Finance Hack Analysis & POC

Table Of Content

Share:

Introduction

Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool. This attack was also possible on other f-pools using the same set of steps described below. But the attacker chose not to continue. If the attack had continued, the attacker would have walked away with ~$400M worth of assets. 

Harvest is a type of yield farming protocol the same as YFI (Yearn Finance). It gathers yields from various lending protocols and optimizes for the maximum gain to return to depositors. The attacker performed an arbitrage attack by using a large flash loan.

The Exploit

Detailed Transaction Trace

https://ethtx.info/mainnet/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1/

We will be focusing on this specific transaction to understand the hack. 

https://etherscan.io/tx/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1

  1. The attacker deploys a contract & pre-funds it with 10.69M USDT & 11.435M USDC 
  2. The attacker took flashloan of 50M USDT from the Uniswap v2 USDT-WETH pair.
  3. The attacker then swaps 11.425M USDC for 11.407M USDT. Now the contract has 60.66M USDT.
  4. A total of 60.66M USDT are then deposited to the fUSDT pool to get 71668595794204 fUSDT tokens.
  5. The attacker then swaps 11.437M USDT back for USDC.
  6. The attacker withdraws the deposited fUSDT to claim 61.1M USDT which is more than what was originally deposited i.e 60.6M USDT. Gaining profit of approximately 0.5M.
  7. The attacker repeatedly called steps 3-6 4 times to gain profit.

Try It Yourself!

We have put together a GitHub repository to reproduce the attack. Here is the Github repo:

https://github.com/abdulsamijay/Defi-Hack-Analysis-POC/tree/master/src/harvest-finance

More Weblogs

GameFi: Future of Gaming or Short-lived Gimmick?

On the surface, the GameFi industry sounds revolutionary. However, digging a little deeper reveals several questions about its legitimacy. What are the risks associated with its play-to-earn model? Are all games which claim to be a part of GameFi credible? And, at the end of the day, is this a viable direction for gaming, or nothing more than a short-lived gimmick?

Consumer Privacy & Data Breach Part II - Is Web 3.0 The Cure?

When the dot-com bubble burst, the technology modifications accelerated, and web 1.0 transformed into web 2.0. User-generated content took a boom, that allowed users to interact with the content and share their thoughts. But, the happiness wasn’t long-lived, the people soon realized that their information is being tracked and used for target marketing.

Harvest Finance Hack Analysis & POC

Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool.

Stay in Touch

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    All rights reserved. Copyright 2020-21