Harvest Finance a DeFi based project developed under Kava Blockchain has been attacked in a recent flashloan economic attack resulting in a $24 million loss off the protocol.
The error was an engineering problem which Harvest Finance would have avoided if proper steps was taken to mitigate possible loan exploitation by attackers on the flashloan pool.
What Happened?
“Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times.
The attacker then converted the funds to renBTC and exited to BTC. Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end.
Wallet of the attacker exiting through renBTC gathered from @devops199fan can be seen here with transaction details. The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest.”
Read Also: Trezor Wallet User Loses Funds to Hackers Despite Keeping the Seed Phrase Safe
Harvest Finance responded impromptu to the attack to protect users by pulling the y pool and btc curve strategy funds to the vault. Currently, all Stablecoin and BTC funds are in the vault (not deployed in a strategy). No other pools was affected.
Though currently, over two million USD has been reportedly returned by the attacker through USDT and USDC. The Harvest Finance team has opened a $100,000 bounty campaign to help get the attacker to return the funds he pulled out.
According to Harvest Finance, the flashloan economic attacker is actively money laundering the BTC through:
- Flugsvamp 3.0
- wm_cash
- Coins.ph
- Treddr
- Kraken
- Binance
- Huobi
There is currently a $100,000 bounty campaign up for anyone who can help in returning the funds back to the pool.
Discover more from DiutoCoinNews
Subscribe to get the latest posts sent to your email.
