An unknown attacker использовал $24 million in stablecoins from Harvest Finance DeFi protocol pools to withdraw $19.8 million in renBTC. The project\’s native token FARM fell by more than 50%.
\n
\n
According to the developers, the hacker manipulated the prices of stablecoins in the DeFi protocol Curve, with which Harvest Finance interacts. It took seven minutes to withdraw funds from the platform. Some of the assets were routed through the Tornado Cash mixer.
\n
\n
The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.
\n
To protect users, we’ve pulled y pool and btc curve strategy funds to the vault
\n
— Harvest Finance (@harvest_finance) October 26, 2020
\n
\n
The team stated that it withdrew \”100% of stablecoins and BTC from the Curve strategy funds\” to the vault. Together with Ren Protocol it has identified the attacker’s addresses — representatives of the project appealed to leading exchanges to block them.
\n
\n
To be specific: to protect users, 100% of Stablecoin and BTC curve strategy funds have been withdrawn from the strategy to the vault.
\n
— Harvest Finance (@harvest_finance) October 26, 2020
\n
\n
\n
The Harvest Finance team also said that the attacker returned $2.47 million. It will be distributed among affected investors.
\n
\n
The attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC.
\n
This will be distributed to the affected depositors pro-rata using a snapshot
\n
— Harvest Finance (@harvest_finance) October 26, 2020
\n
\n
\n
Later, the platform developers said that they know not only the attacker’s addresses but also have personal information about him. The hacker is \”well known in the Bitcoin community.\” The project has set a $100,000 bounty for the first person to contact him and help recover the funds.
\n
\n
⚠️Harvest Finance⚠️
\n
• Still over $1 billion
\n• Still anon team with admin key that can drain funds
\n• Still unknown security of key
\n• Still blocking me on Twitter
\n• Still banning me from Discord\n
Response: Trust them cuz $1 billion is «not useful…» and «don’t bother us…» pic.twitter.com/N443bnxkE9
\n
— Chris Blec (@ChrisBlec) October 25, 2020
\n
\n
\n
As reported, the KuCoin exchange hacker sent 11,520 ETH (~$4.8m) to the Ethereum mixer Tornado Cash and managed to mix it in batches of 100 ETH, totalling 2,800 coins worth about $1.16m. The coins on Ethereum were converted via Uniswap and Kyber Network.
\n
Follow ForkLog news on VK!