Harvest Finance, a yield farming protocol similar to Yearn Finance (YFI), has been hacked today. In the attack, $ 24 million worth of tokens were siphoned. 2.5 million dollars of these were returned.
A few hours ago, messages were published on the Discord channel of the DeFi community Harvest Finance that some members experienced a loss of 10 to 15 percent when they wanted to remove their fUSDC from staking. Shortly after these messages, there were reactions from the larger group of members of the community for a possible exit fraud.
During the time the news was published, the FARM token fell by 70 percent. According to the information received, hackers or fraudsters are trying to transfer the funds to renBTC and sell them. It is stated that a fund of more than 500 million dollars is also at risk.
In fact, according to some users, most of the funds were sent to the Ethereum anonymization protocol Tornado Cash for money laundering. At the time of writing, it is still unclear whether the issue is related to Curve or Harvest.
In the statement made by Harvest Finance, it was stated that the issue was investigated and that there were some problems, and it was informed that it was actively working to reduce this “economic attack” against the fixed coin and BTC pools.
The economic attack in question was carried out through the Curve Y pool, and the price of the fixed coins in the Curve was taken out of the expected rate. Large sums of funds were also invested in Harvest and withdrawn.
In the statement made by the protocol, it was stated that the strategy funds in the Y pool and BTC Curve were transferred to the vaults to protect the users. Currently, all of these funds have been transferred to a safe. According to the information obtained so far, other pools were not affected by this attack.
In another statement made by Harvest, it was stated that another step to be taken to protect users is to prevent funds to be sent (deposit) to stablecoins and BTC vaults. Other deposits of funds that exist to earn FARM will continue.
After it was stated that the 7-minute attack created a large “flash loan”, the following statement came from the protocol:
“The attackers sent back $ 2 million 478 thousand in the form of USDT and USDC. These funds will be distributed to the missing survivors after they are identified ”
On the other hand, the Harvest Finance team announced that they will award 100 thousand dollars to the first person or team to reach the attacker. The team also requested exchanges such as Binance, Coinbase, and Huobi to block the attacker’s addresses.
Are the attackers the developers?
Ricardo Spagni, one of the creators of the privacy-focused currency Monero, said: “The attacker sent back some of the funds. Probably because he’s such a good person… If this doesn’t mean that the attackers and the developers are the same person, I don’t know anything either. ” said.
DeFi researcher and analyst Chris Blec said it cannot be ignored that an insider did this job.
Harvest Finance was launched in August. DeFi Pulse data shows that the value locked in the protocol before the attack was over $ 1 billion.