Pierluigi Paganini
October 27, 2020
A hacker has stolen approximately $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance, a web portal that lets users finding the farming opportunities that will maximize their yield(APY) returns.
The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.
“On October 26, 02:53:31 AM +UTC, an attacker executed a theft of funds from the USDC and USDT vaults of Harvest Finance.” reads the security breach notification published by the company. “The attacker exploited an arbitrage and impermanent loss that influences the value of individual assets inside the Y pool of Curve.fi, which is where the funds of Harvest’s vaults were invested.”
The attackers initially invested large quantities of cryptocurrency assets in the company service and then used a cryptographic exploit to stole the platform’s funds and transfer them to wallets under its control.
The attacker successfully transferred 13,000,000 USD Coin (USDC) and 11,000,000 Tether (USDT) from the attacking contract to the address “0x3811765a53c3188c24d412daec3f60faad5f119b.”
Experts noticed that shortly after the attack, the hacker returned roughly $2.5 million back to Harvest Finance, but they ignore the reason.
The company immediately launched an investigation into the cyber heist, it claims to have linked the fraudulent activities to an individual “well-known in the crypto community.”
The company claims to have collected “a significant amount of personally identifiable information on the attacker initially offered a $400,000 bounty to anyone who will allow recovering the stolen funds. The bounty will be lowered to $100,000 after 36 hours of the announcement.
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
— Harvest (@harvest_finance) October 26, 2020
We are putting out a 100k bounty for the first person or team to reach out to the attacker
The company hopes that the attacker will return the stolen funds:
We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users
— Harvest (@harvest_finance) October 26, 2020
Harvest Finance explained that the attack was the result of an error it has made, anyway if the attacker will return the stolen funds it will not take legal action against the hacker.
“We made an engineering mistake, we own up to it,” explained the company.
“You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Harvest Finance)
[adrotate banner=”5″]
[adrotate banner=”13″]
