Hacker was identified after the theft of $24 million from Harvest Finance

A threat actor has stolen roughly $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance.

A hacker has stolen approximately $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance, a web portal that lets users finding the farming opportunities that will maximize their yield(APY) returns.

The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.

“On October 26, 02:53:31 AM +UTC, an attacker executed a theft of funds from the USDC and USDT vaults of Harvest Finance.” reads the security breach notification published by the company. “The attacker exploited an arbitrage and impermanent loss that influences the value of individual assets inside the Y pool of Curve.fi, which is where the funds of Harvest’s vaults were invested.”

The attackers initially invested large quantities of cryptocurrency assets in the company service and then used a cryptographic exploit to stole the platform’s funds and transfer them to wallets under its control.

The attacker successfully transferred 13,000,000 USD Coin (USDC) and 11,000,000 Tether (USDT) from the attacking contract to the address “0x3811765a53c3188c24d412daec3f60faad5f119b.”

Experts noticed that shortly after the attack, the hacker returned roughly $2.5 million back to Harvest Finance, but they ignore the reason.

The company immediately launched an investigation into the cyber heist, it claims to have linked the fraudulent activities to an individual “well-known in the crypto community.”

The company claims to have collected “a significant amount of personally identifiable information on the attacker initially offered a $400,000 bounty to anyone who will allow recovering the stolen funds. The bounty will be lowered to $100,000 after 36 hours of the announcement.

The company hopes that the attacker will return the stolen funds:

Harvest Finance explained that the attack was the result of an error it has made, anyway if the attacker will return the stolen funds it will not take legal action against the hacker.

“We made an engineering mistake, we own up to it,” explained the company.

“You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Harvest Finance)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.