Decentralized exchanges Uniswap and Curve Finance are experiencing their largest daily trading volumes ever recorded—and it appears that it’s all being driven by a DeFi exploit that drained millions from yield farming protocol Harvest Finance.
Uniswap saw daily trading volume explode to more than $2 billion today, dwarfing the previous all-time high of $950 million as a yet unidentified DeFi hacker used “flash loans” offered by the exchange to drain $25 million from Harvest Finance. Meanwhile, Curve Finance, another DeFi swap protocol, recorded volume of more than $2.8 billion, smashing the previous all-time high of just $524 million in September 2020. That combined $5 billion represents a 24-hour increase in DEX volumes of 1,700%.
What caused that huge spike in volume? Apparently, a “hacker” (depending on your use of the term) executed a flash loan exploit that used millions of dollars worth of cryptocurrency across both Uniswap and Curve to drive down the perceived prices of USDT and USDC tokens on Harvest Finance. The attacker then bought those tokens at a discount, used them to pay back the initial flash loan while netting a tidy profit for himself. He (she/they) did this multiple times, hence the inflated volumes.
DeFi developer and Yearn Finance founder Andre Cronje was quoted from an Telegram conversation outlining the basics of the exploit:
tl;dr on harvest exploit pic.twitter.com/4CyFEIGPt7
— banteg (@bantg) October 26, 2020
Clever “economic attacks” are not uncommon in the burgeoning world of DeFi—shorthand for a group of applications built to run on blockchains, such as Ethereum, using automatically executed blocks of code known as smart contracts. Using smart contracts, DeFi protocols are able to issue loans, provide interest on deposits, and swap between different cryptocurrencies similar to centralized exchanges like Binance, all without a centralized third party like a bank facilitating transactions.
DeFi protocols like Uniswap and Curve Finance use pooled crypto deposits from users known as liquidity providers to allow traders to swap between tokens automatically. In exchange for adding their tokens to the pool, liquidity providers—the users contributing to the token reserves used to power decentralized trades—receive trading fees generated from token trades. The greater the volume of trades, the more DeFi liquidity providers earn in fees from decentralized exchanges.
Uniswap is also one of a handful of DeFi protocols offering flash loans, a feature allowing users to take out loans worth millions if they can pay it back plus a small fee within the space of one Ethereum blockchain block, which lasts about 15 seconds. Savvy DeFi users can leverage flash loans to perform arbitrage between decentralized exchanges and other financial operations by programming a smart contract script to perform the desired actions within a single sequential Ethereum transaction.
Harvest Finance, developed and run by an anonymous team, has halted deposits into several products on their protocol, and has promised to release a post-moretum on the attack within a few hours. The team has also announced a $100,000 bounty for anyone who can help appeal to the attacker, and has alluded to significant publicly available evidence that could be used to identify them.
For Uniswap and Curve liquidity providers, the exploit is a reminder of the dangers that still lurk in the very young DeFi industry, where event audited code like Harvest’s can fall victim to well executed attacks. But it’s also an unexpected opportunity for increased returns, showing the potential power of flash loans to generate enormous volume and the fees that come with it.
The unexpected silver lining? These liquidity providers today collected more than $5 million in trading fees between Uniswap and Curve in a single day.