A few hours ago, reports from users on Harvest Finance’s Discord channel claimed that they had lost 10-15% trying to unstake fusdc, with many in the community soon voicing their concerns about a potential rug pull.
In fact, $FARM was down by over 70%, at the time of writing. With over $500 million at risk, hackers/ruggers are reportedly moving funds into renBTC and attempting to sell it off.
In fact, according to a few community members, funds have also been sent to Tornado Cash to be laundered.
In fact, at the time of writing, a clearer picture wasn’t available, with many confused about whether this is a Harvest issue or a Curve issue. However, Harvest Finance did confirm that something was going on after it released a statement announcing an “economic attack,” adding that the team is actively working on mitigating the attack on stablecoins and BTC pools.
We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime as soon as additional details are available
— Harvest Finance (@harvest_finance) October 26, 2020
The economic attack in question was performed through the curve y pool, stretching the price of stablecoins in Curve out of proportion and depositing and withdrawing a huge amount of assets through Harvest. The protocol added,
“To protect users, we’ve pulled Y pool and BTC Curve strategy funds to the vault.”
At this stage, 100% of all stablecoin and BTC Curve strategy funds have been withdrawn from the strategy and deposited into a vault. Further, no other pools are said to have been affected by this attack.
Harvest also released a statement claiming that their next steps to protect users include a move to block deposits to the Stablecoin and BTC vault, while existing deposits will continue to earn $FARM. Finally, after claiming that the 7-minute attack originated following a huge flashloan, the protocol tweeted,
“The attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC. This will be distributed to the affected depositors pro-rata using a snapshot.”
The aforementioned revelation was greeted by mixed feelings by many in the community, with Riccardo Spagni commenting,
“The attacker” sent some funds back because they’re such nice people. If this isn’t strong evidence that “the attacker” and “the devs” are the same then I don’t know what is.”
Interestingly, according to Chris Blec, $2.5 million worth of stablecoins were transferred into Harvest Finance’s anon developer admin key address from the hackers’ exploit contract.
— Chris Blec (@ChrisBlec) October 26, 2020