We have been honored with another typical “degenerate yield farm” that has arisen and is no longer relevant this week.
Harvest Finance raised up to $ 1 billion in total locked-in value before an “economic feat” brought it down. Its locked in value is now around $ 300 million and the prospects for a recovery look grim.
The exploit once again reignited debates among members of the DeFi community as to whether these types of flash loan-based arbitrage attacks are in fact hacks.
Harvest characteristics result in agricultural cellars similar to Yearn’s. They issue token vault shares based on the value of the assets provided by the users. Some of these vaults rely on Curve’s Y pool, which feeds liquidity for swaps between USDT, USDC, DAI, and TUSD.
The attack used flash loans to convert 17 million USDT to USDC via Curve, temporarily raising the USDC price to 1.01 USD. The attacker then used another flash loaned reserve of some $ 50 million USDC – which the system considered to be worth $ 50.5 million – to break into the Harvest USDC vault.
After entering, the attacker would reverse the previous USDC trade into USDT to balance the price, and then immediately buy back his shares of Harvest pools to receive $ 50.5 million in USDC – a net profit of $ 500,000 per repeated cycle enough to times to get 24 dollars. millions in booty.
So, is this a hack or not?
Technically, there was no vulnerability involved here. There has been a bypassed check for these types of “arbitrage transactions” which detects if the price of these stablecoins deviates too much from their expected value. But it was already set low enough and that’s really more of a slight inconvenience than a true blocker – an attacker just needs to use more operating cycles.
So in that sense, the proponents of the theory that this is just arbitrage are correct – there is no unintended behavior in the code, it’s more like repeated armed market manipulation. high speed.
The Harvest Finance team nevertheless took responsibility for this as a design flaw, which is commendable.
Honestly, I don’t even know what the point of these semantic debates is. People have lost money in a preventable way. An audit should have detected it and marked it as a critical issue.
But there is certainly an argument to be made that this is a different category from bugs like reentrancy. He stresses that these financial building blocks – often referred to as “Lego money” – need to be designed with great care on the drawing board.
It’s as if someone has created a gun from Lego parts and people are wondering if the gun has been “created” or “discovered” because the parts are technically assembled as intended. Either way, Lego pieces should be reworked so that they cannot become a deadly weapon.
A little too much confidence in crypto standards
Before the hack, Harvest stood out for its extreme degree of centralization. In its heyday, the entire billion dollars could have been stolen by a single address, likely controlled by the anonymous team behind the project. A few audits highlighted this fact, also indicating that the address was able to name minters and create tokens at will.
Fans of the project have vigorously defended it, claiming that due to the time lock, governance key holders could only steal the money 12 hours after reporting their intentions, or they could only print a limited number of tokens.
I will let you judge these arguments. The bigger point is that in the search for yield, these “degens” ignore the basics of decentralization and, you know, what DeFi is.
And I’m not saying it’s bad because of some idealistic principles I have. This is because of the carpet draws. These are the exact circumstances that led to disasters like UniCats.
The crazy story of bZX
Speaking of hacks, I had the pleasure of interviewing the bZX team about their terrible year. They suffered a total of three hacks in 2020, although some of them are more like the “economic exploits” mentioned earlier.
The team is nothing if not dedicated. One story that was not included in the article was how Kyle Kistner jumped a fence in the middle of the night and broke into the gated community where his co-founder Tom Bean lived. There was apparently a bug that needed to be fixed literally ASAP.
Judging from the story, being a DeFi developer isn’t for the faint of heart, nor for people who like to sleep.
Of course, one can’t help but notice that bZX has been exploited a bit too often. As a former bug bounty hunter, I could certainly see how poor their security practices were earlier in the year – the bug bounty program was pretty bad, for example – but I also saw how they have corrected many of their mistakes. There might be other underlying issues, but I think they could eventually bounce back if no more mishaps occur.
The DeFi threat to staking
A ConsenSys report highlights an issue that has sort of been overlooked so far, which is essentially the opportunity cost of staking in a DeFi environment.
The idea is pretty simple: Money chases the highest returns, and DeFi seems to be offering a lot of that these days. Even something relatively tame like 20% APY could beat the potential of around 8% by staking and validating Ethereum 2.0.
This problem is further compounded when you consider that Ethereum Phase 0 will not allow you to withdraw or transfer the tokens you committed until Phase 1 or 2 arrives. You’re basically betting that the team will ship a full implementation within a reasonable time frame, and you’re not really rewarded for the risk.
In this scenario, the more popular DeFi, the less secure the network is, and that’s a big deal.
Fortunately, much of it is resolvable through staking derivatives – collateral-backed liquid tokens used for staking, a kind of ether IOU. There are risks involved – namely that the underlying collateral could be reduced and the IOUs would suddenly be of less value. The good thing for the network is that only DeFi is affected in this case, restoring the natural hierarchy of importance.
But it does highlight the number of unintended interactions that could occur in the future. DeFi can get extremely complex already, and if people don’t fully understand it, the consequences could be dire.