Hack Analysis

Harvest Finance Hack Analysis & POC

Harvest Finance Hack Analysis & POC

Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool. This attack was also possible on other f-pools using the same set of steps described below. But the attacker chose not to continue. If the attack had continued, the attacker would have walked away with ~$400M worth of assets. 

Harvest is a type of yield farming protocol the same as YFI (Yearn Finance). It gathers yields from various lending protocols and optimizes for the maximum gain to return to depositors. The attacker performed an arbitrage attack by using a large flash loan.

The Exploit

Detailed Transaction Trace

https://ethtx.info/mainnet/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1/

We will be focusing on this specific transaction to understand the hack. 

https://etherscan.io/tx/0x9d093325272701d63fdafb0af2d89c7e23eaf18be1a51c580d9bce89987a2dc1

  1. The attacker deploys a contract & pre-funds it with 10.69M USDT & 11.435M USDC

  2. The attacker took flashloan of 50M USDT from the Uniswap v2 USDT-WETH pair.

  3. The attacker then swaps 11.425M USDC for 11.407M USDT. Now the contract has 60.66M USDT.

  4. A total of 60.66M USDT are then deposited to the fUSDT pool to get 71668595794204 fUSDT tokens.

  5. The attacker then swaps 11.437M USDT back for USDC.

  6. The attacker withdraws the deposited fUSDT to claim 61.1M USDT which is more than what was originally deposited i.e 60.6M USDT. Gaining profit of approximately 0.5M.

  7. The attacker repeatedly called steps 3-6 4 times to gain profit.

Try It Yourself!

We have put together a GitHub repository to reproduce the attack. Here is the Github repo:

https://github.com/abdulsamijay/Defi-Hack-Analysis-POC/tree/master/src/harvest-finance

Also read :

Pickle Finance Hack Analysis & POC.

Orion Protocol Hack Analysis- February 4, 2023

Kokomo Finance – Hack Analysis (March 27, 2023)

Dforce Network – February 13, 2023

Cream Finance Hack: What Motivates Hackers To Return Stolen Funds?

Gul Hameed

Recent Posts

ADOT Finance Audit Case Study

ADOT Finance integrates a blockchain-based marketplace and bridging system that facilitates the exchange and creation…

2 months ago

UniBtc Hack Analysis

Bedrock is a multi-asset liquidity re-hypothecation protocol that allows the collateralization of assets like wBTC,…

2 months ago

NFT Bears to DeFi Bulls Unpacking Berachain’s POL Mechanism and Potential Pitfalls

What is Berachain? Berachain is a high performance, EVM-identical Layer 1 blockchain leveraging Proof of…

2 months ago

Onyx DAO Hack Analysis

On September 3, 2024, Onyx DAO, a protocol derived from Compound Finance, suffered a severe…

3 months ago

17 Best Crypto Launchpads and IDO Platforms to Watch in 2024

The cryptocurrency world continues to expand rapidly, offering new investment opportunities almost daily. One of…

3 months ago

What is Data Tokenization and Why is it Important?

In today's digital age, where data is the new currency, safeguarding sensitive information has become…

3 months ago

This website uses cookies.