DEFIMARKETSECURITY

Disaster Update | Harvest hacked for $24 million! Hacker holds 1,520 bitcoins as a market time bomb

share
Disaster Update | Harvest hacked for $24 million! Hacker holds 1,520 bitcoins as a market time bomb

Today (10/26) around noon, the liquidity mining project Harvest Finance was reportedly hacked for $24 million. Its token FARM also plummeted by nearly 60%. Although the hacker returned a portion of the assets totaling $2.47 million, there is still a significant shortfall from the amount hacked. The official statement on Twitter expressed awe at the hacker's skills. Apart from calling for the return of user assets, the company also offered a $100,000 reward to the first team that can establish contact with the hacker.

It is understood that a large amount of funds was transferred out of the Harvest Finance pool at noon. The hacker cashed out approximately $24 million through multiple contract transactions, mainly by renBTC, and only returned $2.47 million to the developers. The attack mainly targeted the Curve y pool, and the steps taken since the attack are as follows:

  • Transfer of all Curve y funds to the vault
  • Suspension of stablecoin and Bitcoin deposits
  • fUSDC price: 0.834998
  • fUSDT price: 0.844731
  • Deposits of assets such as TUSD, DAI, WBTC, RENBTC are unaffected
  • All vaults are stable

As evident from the fUSDC and fUSDT prices, users participating in liquidity mining are very dissatisfied with the nearly 17% loss, not to mention the FARM token's nearly 60% drop. Harvest's official statement mentioned that the hacker returned $2,478,549.94 in the form of USDT and USDC and will distribute it proportionally to affected users through a snapshot here.

Advertisement - Please scroll down for more content

Hacker Cash-Out Process

According to the hacker'stransaction records, it is evident that the hacker made a profit of 11 million USDT and 13 million USDC in this attack. However, as holding stablecoins may risk being frozen by the issuer, the hacker chose not to hold stablecoins and instead gradually exchanged stablecoins for WBTC through Uniswap. The chart below shows the 24-hour token trading volume on Uniswap.

(Source: Uniswap

After obtaining WBTC, the hacker further exchanged WBTC for renBTC through Curve, and theaddress can be viewed to see all transaction processes. Through calculations, the hacker exchanged a total of 1,520 renBTC, valued at nearly 20 million USD. Currently, the hacker is attempting to exchange renBTC for BTC through Ren Protocol, and once successful, these bitcoins may become a time bomb in the market in the short term.

According to the latest statement from the Harvest team, they have contacted Ren Protocol to assist in locating the hacker's bitcoin address and have requested exchanges to blacklist theseaddresses.

Aside from attempting to control the bitcoin addresses that the hacker may use to cash out, the Harvest team claims that the hacker is quite well-known in the crypto community and has substantial personal information of hackers. They have also offered a reward of $100,000 to the first individual or team that can contact the hacker.

Subsequent Impact

It is worth noting that this attack unexpectedly led to a surge in trading volumes on both Uniswap and Curve platforms, with both platforms surpassing $2 billion in 24-hour trading volume, bringing substantial profits to liquidity providers on both platforms. It is estimated that Uniswap liquidity providers made around $6 million in profit within 24 hours, while Curve liquidity providers made around $1 million in profit.

Furthermore, due to the massive withdrawal of funds by Harvest, the mining income of the Curve y pool has skyrocketed, with an annualized return rate reaching 172%.

(Source: Curve