The Harvest Finance attack is fully reproduced: How to use the cost of 20 ETH to leverage $30 million in revenue? (www.blockcast.cc)

This morning, Harvest Finance, the DeFi aggregation agreement, issued a statement on yesterday’s lightning loan attack.

According to the announcement, the total loss of the attack was 33.8 million U.S. dollars (previously reported that it was 4 million U.S. dollars), accounting for about 3.2% of the total value of locked positions in the agreement before the attack; the attacker returned more than 2.47 million U.S. dollars in proportion to the snapshot Assigned to affected depositors; in the future, Harvest Finance will implement a “submit-disclose” mechanism for deposits to reduce lightning loan attacks, use oracles to determine asset prices, and increase deposit arb configuration (the current threshold is set to 3%).

At 10 o’clock yesterday morning, Twitter users broke the news that the attacker relied on the cost (handling fee) of 20 ETH to gain impermanence through arbitrage in the Curve protocol y pool through lightning loans, and the Curve.fi Y pool is where Harvest Vault invests. The attackers then converted the funds into renBTC and cashed out, and Harvest also lost millions of dollars as a result. Many participants reported that they lost 15% to 20% of their funds.

Affected by this, the price of Harvest Finance’s governance token, FARM, plummeted from US$237 to US$78, with a maximum drop of nearly 70%. As of today’s press release, the price of FARM has rebounded to around US$110; the amount of Harvest’s agreement lock-up has also increased from US$1.11 billion. It has plummeted to 450 million U.S. dollars, the biggest drop of 60%.

However, the Curve agreement has not been affected. The price of its governance token CRV has continued to rise in the past 24 hours, once rising to 0.44 USDT, with a maximum increase of nearly 30%.

(1) Event review: flash loan arbitrage

Harvest Finance is a DeFi income aggregator whose main function is to provide liquidity to other DeFi pools to earn income for its liquidity providers. Before the attack, Harvest Finance mainly provided liquidity in the Curve protocol y pool.

How does the attacker achieve the attack and complete arbitrage?

Let me explain the logic of this attack for everyone. To put it simply, there are three steps, namely “borrowing-forward operating price-reverse operating price”:

• The attacker borrowed a large amount of USDT and USDC through flash loans;
• Converting a large amount of USDT to USDC in the Y pool resulted in an increase in the price of USDC; since the USDC price in the Harvest pool refers to the Y pool, it also increased; at this time, USDC is used to exchange more fUSDC in the Harvest pool;
• In the Y pool, the above process is reversed, and a large amount of USDC is converted into USDT, resulting in a decrease in the price of USDC; at this time, the price of USDC in the Harvest pool also decreases; fUSDC can be used to exchange more USDC than the original to complete arbitrage.

Of course, in order to enable transactions on the chain to be carried out in a very short period of time, each transaction is given a sufficient fee.

The Harvest Finance announcement introduced the complete attack chain:

• Transferring 20 ETH through the Ethereum anonymous transfer platform Tornado.cash as a subsequent attack fee, the attacker’s wallet address is 0xf224ab004461540778a914ea397c589b677e27b, and an attack contract 0xc6028a9fa486f52efd2b95b949ac630d287ce0af is deployed.
• Lend a huge amount of USDT (18,308,555.417594) and USDC (50 million) through Uniswap V2 Lightning Loan, and inject them into the attack contract;

(Note: Flash loans require borrowing and repayment to be completed in “one transaction”, otherwise the loan funds will be withdrawn. The attacker took advantage of this blank time to complete the arbitrage transaction; flash loan arbitrage is also a common one at present the way.)

• This contract converts 17222012.640506 USDT into USDC through a swap agreement in the Curve agreement Y pool. The impact of the swap is that due to the impermanent losses of other assets, the value of USDC in the Y pool increased, and it obtained 17,216703.208672 USDC; at this time, the attacker added the principal of the previous lightning loan, and the attack held about 67.21 million USDC and 108.65. Million USDT.
• The attacker deposited 49,977,468.555526 USDC in Harvest’s USDC vault, and exchanged 51,456,280.788906 fUSDC at the unit price fUSDC/USDC=0.97126080216. The unit price before the attack was 0.980007, and the current unit price of 0.9712 has dropped by about 1% from the previous month, and it has not triggered the 3% red line set by the Harvest arbitrage strategy. Therefore, the transaction was effective and successful without being forced to resume.
• The attacker exchanged the remaining 17239234.653146 USDC back to 17,230,747.185604 USDT through the y pool; due to the recovery of the impermanent loss effect, the value of USDC in the Y pool decreased at this time, and the attacker received 17,230,747.185604 USDT.
• The attacker withdrew coins from Harvest’s USDC vault. As the value of USDC in the Y pool decreased at this time, the unit price of fUSDC/USDC rose to 0.98329837664. The attacker exchanged all the shares of fUSDC (about 51.45 million) back to 50,596,877.367,825 USDC. Moreover, USDC is fully paid by Harvest’s USDC vault, and does not interact with the Y pool at all, so it will not affect the USDC price in the Y pool.
• After such an arbitrage, the attacker’s net profit (excluding flash loan borrowing costs) is 61,9408.812299 USDC. Then, the attacker repeated this process several times in the same transaction.
• Within 4 minutes, the attacker executed 17 attack transactions against the USDC vault, and then used a similar method to attack the USDT vault, and completed 13 attack transactions within 3 minutes.
• At 11:01:48 on October 26, Beijing time, the attacker transferred 13,000,000 USDC and 11,000,000 USDT from the attack contract to the address 0x3811765a53c3188c24d412daec3f60faad5f119b.
• After the incident was exposed, the attackers returned part of the funds to Harvest, totaling 1,761,898.396474 USDC and 718,914.048541 USDT.

After the attack, many people commented on Harvest Twitter that they lost 15%-20% of their funds. Many KOLs also recommend that users first withdraw funds from Harvest to ensure the safety of funds.

According to Harvest statistics, user losses are not optimistic: the unit price of USDC treasury fell from 0.980007 to 0.834953, and the unit price of USDT treasury fell from 0.978874 to 0.844812, a decrease of 13.8% and 13.7% respectively; the total loss was about 33.8 million U.S. dollars, which accounted for about the attack. 3.2% of the total value of locked positions in the agreement before the occurrence.

(2) Official attitude: In addition to remedies, the attacker can pay back the money

After the accident, the Harvest team issued a document stating that in order to protect users, measures have been taken to prevent funds from stablecoins and BTC gold deposits. Existing deposits will continue to earn FARM.

According to the announcement this morning, Harvest has withdrawn all funds from the shared pool, including DAI, USDC, USDT, TUSD, and WBTC and renBTC. These funds are currently stored in the vault and will not be subject to further market manipulation. In addition, the attack did not involve DAI, TUSD, WBTC, and renBTC, and the depositors of these vaults were not affected.

In addition, with regard to user compensation, Harvest said that the attacker returned more than 2.47 million US dollars, which will be proportionally distributed to affected depositors through snapshots, and other remedies will be analyzed and voted on in governance.

The accident also exposed the shortcomings of the Harvest system mechanism.

The SlowMist security team analyzed that the attack was mainly due to the fact that fToken (fUSDC, fUSDT, etc.) used the quotations in the Curve y pool during coin minting, which resulted in the attacker being able to control the amount of fToken minted by controlling the price of the oracle through huge exchanges. .

In response to quotation issues, Harvest will use an oracle machine to determine asset prices in the next step.

“Although an approximate asset price can be effectively determined from an external oracle (provided by Chainlink or Maker), it is very loosely related to the actual price. If the asset value in the underlying DeFi agreement is different from the oracle quotation, the vault will Faced with free arbitrage and lightning loan attacks. This is not Harvest’s solution, but we will consider the use of oracles in system design and possible mitigation strategies.”

In addition, in the future, Harvest Finance will implement a “submit-disclosure” mechanism for deposits to reduce lightning loan attacks and increase deposit arb configuration (the current threshold is set to 3%). In addition, Harvest Finance’s smart contract improvement plan originally scheduled to be released on October 27th will also be postponed to reassess its security in the context of the attack.

For the attacker, Harvest Finance announced the address involved in the case, and issued a document stating, “In addition to the BTC address holding the stolen funds, we now also obtain a large amount of personally identifiable information about the attacker. He is well-known in the encryption community.”

However, Harvest Finance does not seem to intend to trace the identity of the attacker.

“We are not interested in disclosing the personal information of the attacker. We respect your technology and originality as long as you return the money to the user. The attacker has proven their point. If they can return the money to the user, it will be Highly appreciated by all sectors of society, returning funds to affected users is the key point.”

In the announcement, Harvest Finance stated:

• We offer a $100,000 bounty to the first individual or team to help us retrieve funds.
• If the refund is completed within the next 36 hours, the reward is USD 400,000. Please do not search for attackers during this process. We strongly recommend that all efforts be focused on ensuring that user funds are successfully returned to deployers.

Because the attacker has been monetizing through RenBTC. As of press time, Harvest Finance has officially announced that it has obtained the relevant RenBTC withdrawal address through cooperation with RenProtocol, and announced the BTC address derived through RenProtocol. It is now seeking help from trading platforms such as Binance, Huobi, OKEx and Coinbase. Freeze relevant addresses.

(3) Harvest Finance, deep in negative public opinion

Since Harvest Finance has a rather “ambiguous” attitude towards the attackers, many voices believe that the official guards have stolen themselves, and staged a scene where the thief shouts to catch the thief.

Encrypted KOL@Bitcoin issued a question:

• In fact, nothing can be more profitable than directly grabbing the user’s principal. The total market value of FARM is 25 million, and the project party’s 20% of the coins will make 5 million even if all the coins are sold out. Earning thousands of dollars is the limit. A profit of tens of millions. Combining the project’s handling plan for this matter, I think it is indeed a high probability that the project team will guard and steal, so they will definitely not use their own money to fill this pit;
• The hacker took the risk and only stolen tens of millions of dollars but did not directly drain the hundreds of millions of dollars. Obviously, he did not want the project to die, and it was consistent with the team’s interests;
• Some investors asked if they could use some of the team’s coins to compensate the victims. Harvest replied that the amount of funds was too large to bear. In fact, everyone knows that there are two different things whether you can pay or whether you can afford it.
• According to investors, investors in the community have been reacting to the continuous decline in the net value of fusd being arbitraged, but the team has always turned a blind eye to this situation for more than a month, allowing “hackers” to arbitrage.

This is not the first time Harvest Finance has fallen into a crisis of public opinion.

Just two days before the arbitrage attack, DeFi observers revealed the risk: The more than $1 billion in funds locked in the project contract is completely controlled by anonymous developers, and the development team is suspected of deliberately concealing this fact.

Citing the security team’s Haechi audit report, Harvest Finance has a management key that allows holders to mint tokens and steal users’ funds at will. The management key may be held by the anonymous developer behind the project.

Biyin said that Harvest did not enter Biyin’s DeFi financial management. The biggest reason is that it did not pass the risk control of Biyin. In theory, they can even embezzle customer funds because they lack the necessary protection measures such as Timelock and multi-signature management. Use efficiency, adopts the fast effective strategy mechanism, but greatly sacrifices safety.

In response to the doubts from the outside world, Harvest Finance introduced a 12-hour time lock function in the contract, but it still failed to dispel users’ doubts.

After this attack storm, the amount of locked positions on the Harvest Finance chain has also plummeted from US$1.11 billion to US$450 million, a maximum drop of 60%.