The developers of Harvest Finance revealed detailed information about the hacking of the $34 million DeFi protocol and asked the hacker to return the stolen crypto assets to users.
In the Harvest Finance blog, the developers told how the attacker managed to steal USDC and USDT reserves from the vaults. The project team also published an update on the dollar value of the stolen crypto assets. Previously, it was assumed that the hackers managed to withdraw $25 million, but the amount of damage in the end amounted to $34 million.
The attacker gave himself quick loans that allowed him to temporarily manipulate the Harvest Finance reserves stored in the Curve protocol. The quick loans led to a decrease in the value of USDT and USDC on Harvest, which allowed the attacker to buy crypto assets much cheaper than their real price. Thus, the hacker repaid the loans and received additional profit.
The attack led to a sharp drop in the value of the Harvest Finance FARM token. According to CoinMarketCap, its price has fallen from $ 242 on Sunday to $100 at the moment.
“We made an engineering mistake, and we recognize it,” the Harvest Finance team said in a blog post.
To prevent such attacks in the future, the developers have proposed several solutions. First, make it impossible to deposit and withdraw funds in a single transaction, i.e. eliminate the functionality of fast loans. Secondly, add the conversion of the output of Curve tokens to stablecoins in individual transactions, which will minimize the damage from a quick loan.
The creators of the protocol plan to eliminate the vulnerability in the near future and ask hackers to meet them halfway. In the social network Twitter, the project developers wrote:
“For the attacker: You have proven your point, if you can get the money back to the users, it will be highly appreciated by the community, including many third-party DeFi watchers.”
Harvest Finance is offering a reward of $100,000 to the person who convinces the attacker to return the crypto assets, or $400,000 if it happens in the coming days.