Post-mortem report pledged that affected users would be compensated
Harvest Finance is a decentralized finance (DeFi) yield protocol that helps users maximize returns by deploying automated investment strategies across DeFi platforms. Yield farming remains experimental and smart contracts carry inherent risks, as demonstrated by yesterday’s incident.
The exploit occurred on October 26 at 02:53:31 UTC, when an attacker drained approximately $24 million from Harvest Finance vaults in USDC and USDT by manipulating asset valuations within the Curve.fi Y pool. The attacker executed a large flash loan and took advantage of an arbitrage opportunity to cause the loss.
The Harvest Finance post-mortem report published last night explains that the attacker used high-volume market trades to depress the price of fUSDC shares by about 1%. Because Harvest’s internal arbitrage check did not exceed its 3% threshold, the strategy did not revert the transaction.
After executing 17 attack transactions against the USDC vault, the attacker repeated the process against the USDT vault. The entire operation took roughly seven minutes, although nearly $2.5 million was later returned to Harvest’s deploy address.
The exploit caused the fUSDC share price to fall 13.8% and the fUSDT vault to drop 13.7%. Harvest Finance estimated the protocol suffered a loss equal to 3.2% of its total value locked. CoinGecko data show the FARM native token plunged about 58%, falling from $232.78 to $96.90 in the three hours following the attack.
Harvest Finance has accepted responsibility for an engineering oversight that enabled the attack and has made compensating affected users a top priority. The team also postponed planned smart contract upgrades scheduled for today until they can be thoroughly reassessed for security.
To prevent future incidents, the team is evaluating mitigation measures such as tightening the arbitrage-check threshold, integrating oracle-based pricing to determine asset values, and introducing a commit-reveal mechanism for deposits so that users cannot execute deposits and withdrawals in a single transaction.
Harvest Finance stated it had no interest in pursuing the attacker, but it offered a $100,000 reward to the first individual or team that helps return the funds, and a $400,000 reward if the funds are returned within the next 36 hours.
Some members of the crypto community have expressed suspicion that Harvest Finance’s developers might have been involved. DeFi analyst Chris Blec noted on Sunday that Harvest was managed by an anonymous team with an admin key that could potentially be used to drain funds.