Home » The curious case of Harvest Finance, Oct. 21-28
Technology News

The curious case of Harvest Finance, Oct. 21-28

The curious case of Harvest Finance, Oct. 21-28

We have been graced with another typical “degen yield farm” popping out and in of relevance this week.

Harvest Finance collected as a lot as $1 billion in complete worth locked earlier than an “financial exploit” despatched it tumbling down. Its worth locked measure now hovering round $300 million and prospects for a restoration wanting bleak.

The exploit has as soon as once more reignited debates amongst DeFi group members as as to if some of these flash loan-based arbitrage assaults are literally hacks.

Harvest options yield farming vaults much like Yearn’s. They problem tokenized vault shares primarily based on the worth of the property equipped by customers. A few of these vaults depend on Curve’s Y pool, which powers liquidity for swaps between USDT, USDC, DAI and TUSD.

The assault used flash loans to transform $17 million USDT into USDC by means of Curve, briefly boosting the USDC value to $1.01. The attacker then used one other flash-loaned stash of some $50 million USDC — which the system thought of to be value $50.5 million — to enter the Harvest USDC vault.

After coming into, the attacker would reverse the earlier USDC commerce again into USDT to convey the value in stability, after which instantly redeem their shares of Harvest’s swimming pools to obtain $50.5 million in USDC — a internet revenue of $500,000 per cycle repeated sufficient instances to acquire $24 million in loot.

So is that this a hack or not?

Technically, there have been no vulnerabilities concerned right here. There was a bypassed test for some of these “arbitrage trades” that detects if the value of those stablecoins deviates an excessive amount of from their supposed worth. But it surely was already set fairly low and it’s actually extra of a gentle inconvenience than an precise blocker — an attacker simply wants to make use of extra exploitation cycles.

This sequence is dizzying, and it nonetheless omits many steps.

So in that sense, proponents of the idea that that is simply an arbitrage commerce are right — there is no such thing as a unintended conduct within the code, it’s extra like weaponized market manipulation repeated at velocity.

The Harvest Finance group however assumed duty for this as a design flaw, which is commendable.

Actually, I’m not even certain what the purpose of those semantic debates is. Folks misplaced cash in a preventable approach. An audit ought to’ve caught this and marked it as a crucial problem.

However there’s positively a case to be made that it’s a special class from bugs like reentrancy. It highlights that these monetary constructing blocks — also known as “cash Lego” — should be designed with utmost care on the drafting board.

It’s like if anyone created a gun out of Lego components and folks have been debating if the gun was “created” or “found” as a result of the components have been technically assembled as designed. Both approach the Lego components must be reworked in order that they will’t change into a deadly weapon.

A bit an excessive amount of belief for crypto requirements

Earlier than the hack, Harvest was notable for its excessive diploma of centralization. In its glory days, the entire $1 billion may’ve been stolen by a single handle, probably managed by the nameless group behind the undertaking. A few audits highlighted that reality, additionally making it clear that the handle was capable of nominate minters and create tokens at will.

Followers of the undertaking vigorously defended it, saying that due to the time lock, the governance key holders may solely steal the cash 12 hours after signaling their intentions, or that they might solely print a restricted variety of tokens.

I’ll allow you to be the decide of these arguments. The broader level is that within the seek for yield, these “degens” are ignoring the essential tenets of decentralization and, you already know, what DeFi is about.

And I’m not saying it’s unhealthy due to some idealistic rules I’ve. It’s due to rug pulls. These are the precise circumstances that led to disasters like UniCats.