Decentralized finance (DeFi) protocol Harvest Finance has issued a $100,000 bounty on a hacker that attacked the protocol’s liquidity pools. The hacker reportedly exploited about $24 million from Harvest Finance, and then converted the funds to renBTC. The attack has caused the protocol’s native token, FARM, to plummet in price.
Harvest Finance has also appealed directly to the attacker to return funds. “For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar,” the DeFi protocol said in a tweet.
For the attacker: you've proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar
— Harvest Finance (@harvest_finance) October 26, 2020
As Harvest Finance became aware of the attack, they took several steps to protect users. Again via their Twitter account, the DeFi protocol announced that 100% of Stablecoin and BTC curve strategy funds were withdrawn from the strategy to a secure vault. In addition, the protocol advised that they were “moving to block deposits to the Stablecoin and BTC vault.”
The attack itself, however, barely gave the protocol enough time to react, reportedly taking place in just seven minutes from start to finish.
According to Harvest Finance, there is already enough information available to identify the attacker. In a tweet published today, the DeFi protocol said “there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.”
As the fallout from the hack continued, Harvest Finance published 10 BTC addresses, claiming that “all of the hacker’s funds are in [these] wallets.” In an additional tweet, the protocol called on major crypto exchanges, including Binance, to blacklist these addresses.
The growing specter of DeFi hacks
The attack on Harvest Finance is the latest in a succession of hacks and other vulnerabilities that have plagued the decentralized finance community in recent months. In August of this year, DeFi protocol Opyn was stripped of $370,000. In September, the $FEW scandal, caused by leaked Telegram messages, attracted criticism from the community.
“As the DeFi space is still in its infancy, we are seeing the type of attacks mature,” Charles Storry, co-founder of PhutureDAO, told Decrypt, adding that “open innovation within DeFi is key, losing funds with untested and unsecure code is not what DeFi is about.”
Going forward, Harvest Finance has pledged to release a post-mortem report, and “work on future risk-mitigation strategies against flash loan economic attacks, including evaluating insurance options, as well as reparation strategies.”
We have contacted Harvest Finance and will update this story if we hear back from them.