On Monday, October 26, the crypto Twitter community and other social media users received news of a possible hack of Harvest Finance, which led to a loss of more than $25 million. The security breach allowed the attacker to swap some of the stolen funds into renBTC (rBTC). Moreover, the malicious actor used Tornado Cash, a tool used to mix Ethereum (ETH) based transactions to avoid leaving a trail, to move another part of the funds.
Unfortunately, the security breach had seemingly triggered panic withdrawals. Investors had recalled funds worth approximately $350 million from the pools.
Harvest’s anonymous team, through a Twitter post, acknowledged the presence of a security breach. Additionally, they noted that they’ve rolled up their sleeves to lessen the effects of the hack on Bitcoin (BTC) and stablecoin pools on the protocol.
Interestingly, since Harvest Finance only deploys funds on decentralized finance (DeFi) systems with the highest yields, Harvest’s team has observed that the unknown attacker messed with Curve Finance’s prices, one of the platforms where it deploys investor funds.
Part of the Harvest team’s immediate measures includes withdrawing all the funds (BTC and stablecoin) that were marked for use in the “Curve strategy.”
Notably, within hours from the time the crypto community noted the breach, the total value locked (TVL) in the network had drastically dropped from more than $1,000,000,000 to around $6,700,000.
A DeFi Analyst’s Prophesy
Interestingly, the DeFi platform had been flagged by an analyst, Chris Blec, as giving its admins powers to move users’ funds without permission.
In what seems like a coincidence, HAECHI AUDIT, a smart contract auditing firm, in its Harvest audit, pointed out that the “the Governance role is not Contract and can transfer user’s funds without permission.”
However, the report noted that the team had implemented time-locked upgrades, although the audit firm expressly noted it did not audit the time-lock upgrade.
$100,000 Bounty on Hacker
Fortunately, the team is slowly closing in on the hacker despite its obfuscation attempt. They even issued a bounty for the hacker worth $100,000. According to them,
There is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
Harvest Finance listed the 10 BTC addresses associated with the hack and urged the leading crypto exchanges to blacklist them since all the stolen funds are allegedly there.
Source: Read Full Article