Hackers use flash loan tactic against Harvest Finance DeFi, steal $24m
A DeFi protocol called Harvest Finance was the victim of a hacking attack earlier today, which resulted in the theft of roughly $24m in digital currency. According to the company’s Twitter account, the hacker completed the attack in roughly seven minutes, giving them no time to counterattack.
Harvest Finance reported that the hacker stole $13m in USD Coin and $11m in Tether. In a mysterious turn of events, the malicious actor also returned $2.5m back to the platform, but it’s not clear why this happened.
The attackers used a ‘flash loan’ offensive to perpetrate this attack. In this technique, hackers invest a large number of cryptocurrency assets into the DeFi service and then use a cryptographic exploit to transfer the platform’s funds to their personal wallets.
Harvest Finance’s response
The company announced that it had disabled new deposits for stablecoins and BTC after the attack. It also stated that TUSD, DAI, WBTC, renBTC deposits were not affected.
Harvest Finance also tracked down ten addresses of BTC wallets where the hacker had siphoned off stolen funds. It requested prominent exchanges like Binance and Coinbase to block all transactions from these addresses.
In the hours following the theft, Harvest Finance updated its Twitter feed. It stated that in addition to the wallet addresses, the company had found enough “personally identifiable information” on the attacker and that the attacker was “well-known in the crypto community”. Moreover, the company announced a bounty of $100,000 for the individual or team that establishes contact with the hacker.
Harvest Finance also clarified that its intention was not to dox the hacker. “We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users”, said a tweet made by the company roughly 24 hours ago.
The clarity issued by Harvest Finance is reassuring but inconclusive. While the company has declared a mitigation plan against future such flash loan attacks, this particular offensive stays unsolved at the time of writing.