Just before midnight on Sunday October 25th harvest.finance was subject to an Oracle manipulation exploit that created an arbitrage opportunity allowing their liquidity pools to be drained of $25,000,000. Approximately $1,000,000,000 was being staked on Harvest at the time of the exploit and Harvest was trading at $233 per coin. In less than an hour the price fell to just $77, a drop of 67%. TVL (total value locked) in the platform has fallen by a huge number also, $600,000,000 in capital has been withdrawn from the platform as people no longer trust it to keep their funds secure.
How did this attack happen?
The attack vector for this attack was on chain price oracle manipulation, in this case the price of the USDT/USDC pair on curve finance was subject to manipulation, we will break it down into simple steps here, credit to @valentinmihov on twitter https://twitter.com/valentinmihov for this.
Here is the transaction broken down into parts:
Step 1: Flashloan of $50,000,000 in USDC from Uniswap
Step 2: Trade 11.4m USDC to USDT on curve.finance (increased price of USDT)
Step 3: Deposit 60.6m USDT into Harvest Vault
Step 4: Exchange 11.4m USDT back to USDT (decrease price of USDT)
Step 5: Withdraw 61.1m USDT from Harvest Vault ($500,000 profit - 10 ETH fee)
Step 6: Repay flashloan to USDC pool on Uniswap
How is the attacker able to withdraw the extra USDT from the vault?
When a user deposits his/her funds into a vault, they receive shares(tokens) for that vault, which can then be exchanged for the collateral in the vault. Because the price provided to the vault by the oracle had been changed, the amount of tokens that could be withdrawn by the exploiter was more than what they originally deposited.
How could Chainlink have prevented this attack?
Chainlink price Oracles are aggregates that pull data from multiple sources. Harvest was not using multiple Oracles in their vault smart contract, this created a single point of failure for their ecosystem. If they had been using an aggregated Oracle feed for USDC/USDT prices, the change in price on curve.finance would not have made their vault available for exploitation. While exploits such as this can be painful, it can be a valuable learning opportunity that highlights the importance Oracles have for blockchain security.
The platform Quantify Crypto provides live cryptocurrency prices, technical analysis, news, heatmaps and more.
Next month we will be launching a new DeFi focused product at defiheatmap.com stay tuned for Updates.