Finance Redefined: The Curious Case of Harvest Finance, October 21-28


We have been honored with another typical “degenerate yield farm” that has arisen and is no longer relevant this week.

Harvest Finance raised up to $ 1 billion in total locked-in value before an “economic feat” brought it down. Its locked in value is now around $ 300 million and the prospects for a recovery look grim.

The exploit once again reignited debates among members of the DeFi community as to whether these types of flash loan-based arbitrage attacks are in fact hacks.

Harvest characteristics result in agricultural cellars similar to Yearn’s. They issue token vault shares based on the value of the assets provided by the users. Some of these vaults rely on Curve’s Y pool, which feeds liquidity for swaps between USDT, USDC, DAI, and TUSD.

The attack used flash loans to convert 17 million USDT to USDC via Curve, temporarily raising the USDC price to 1.01 USD. The attacker then used another flash loaned reserve of some $ 50 million USDC – which the system considered to be worth $ 50.5 million – to break into the Harvest USDC vault.

After entering, the attacker would reverse the previous USDC trade into USDT to balance the price, and then immediately buy back his shares of Harvest pools to receive $ 50.5 million in USDC – a net profit of $ 500,000 per repeated cycle enough to times to get 24 dollars. millions in booty.

So, is this a hack or not?

Technically, there was no vulnerability involved here. There has been a bypassed check for these types of “arbitrage transactions” which detects if the price of these stablecoins deviates too much from their expected value. But it was already set low enough and that’s really more of a slight inconvenience than a true blocker – an attacker just needs to use more operating cycles.

ALSO READ  The data economy is a dystopian nightmare
This sequence is dizzying and still omits many steps.

So in that sense, the proponents of the theory that this is just arbitrage are correct – there is no unintended behavior in the code, it’s more like repeated armed market manipulation. high speed.

The Harvest Finance team nevertheless took responsibility for this as a design flaw, which is commendable.

Honestly, I don’t even know what the point of these semantic debates is. People have lost money in a preventable way. An audit should have detected it and marked it as a critical issue.

But there is certainly an argument to be made that this is a different category from bugs like reentrancy. He stresses that these financial building blocks – often referred to as “Lego money” – need to be designed with great care on the drawing board.

It’s as if someone has created a gun from Lego parts and people are wondering if the gun has been “created” or “discovered” because the parts are technically assembled as intended. Either way, Lego pieces should be reworked so that they cannot become a deadly weapon.

A little too much confidence in crypto standards

Before the hack, Harvest stood out for its extreme degree of centralization. In its heyday, the entire billion dollars could have been stolen by a single address, likely controlled by the anonymous team behind the project. A few audits highlighted this fact, also indicating that the address was able to name minters and create tokens at will.

ALSO READ  Zero-sum game: DeFi declines as Bitcoin explodes

Fans of the project have vigorously defended it, claiming that due to the time lock, governance key holders could only steal the money 12 hours after reporting their intentions, or they could only print a limited number of tokens.

I will let you judge these arguments. The bigger point is that in the search for yield, these “degens” ignore the basics of decentralization and, you know, what DeFi is.

And I’m not saying it’s bad because of some idealistic principles I have. This is because of the carpet draws. These are the exact circumstances that led to disasters like UniCats.