Harvest Finance Hack Analysis & POC

Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool. This attack was also possible on other f-pools using the same set of steps described below. But the attacker chose not to continue. If the attack had continued, the attacker would have walked away with ~$400M worth of assets.

Harvest is a type of yield farming protocol the same as YFI (Yearn Finance). It gathers yields from various lending protocols and optimizes for the maximum gain to return to depositors. The attacker performed an arbitrage attack by using a large flash loan.

The Exploit

Detailed Transaction Trace

https://ethtx.info/mainnet/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1/

We will be focusing on this specific transaction to understand the hack.

https://etherscan.io/tx/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1

The attacker deploys a contract & pre-funds it with 10.69M USDT & 11.435M USDC
The attacker took flashloan of 50M USDT from the Uniswap v2 USDT-WETH pair.
The attacker then swaps 11.425M USDC for 11.407M USDT. Now the contract has 60.66M USDT.
A total of 60.66M USDT are then deposited to the fUSDT pool to get 71668595794204 fUSDT tokens.
The attacker then swaps 11.437M USDT back for USDC.
The attacker withdraws the deposited fUSDT to claim 61.1M USDT which is more than what was originally deposited i.e 60.6M USDT. Gaining profit of approximately 0.5M.
The attacker repeatedly called steps 3-6 4 times to gain profit.