Decentralized finance [DeFi] Harvest Finance suffered a $24 million economic attack on October 26. A day later, the platform published its post-mortem report, in which it took full responsibility for the engineering error and ensured that such incidents would be mitigated in the future.
Following the breach, Harvest Finance reportedly withdrew all the funds from the shared pools which included DAI, USDC, USDT, TUSD as well as WBTC and renBTC. The report further claimed that the funds were currently present in the vaults and cannot suffer from further market manipulation while notifying that the attack did not involve DAI, TUSD, WBTC, and renBTC, and the depositors in these vaults were not affected.
According to Harvest Finance, the share price of the USDC and USDT vault decreased from 0.980007 to 0.834953, and 0.978874 to 0.844812, respectively. Nearly $33.8 million value was lost during the entire episode which corresponded to roughly 3.2% of the total value locked in the protocol at the time before the attack.
As possible remediation techniques, Harvest Finance is planning to implement a commit-and-reveal mechanism for deposits which would remove the ability to perform deposits and withdrawals within a single transaction. This, in turn, would make flash-loan-based attacks infeasible.
The company was also planning to deploy a stricter configuration of the existing deposit arb check in the strategies. Since the current threshold, which was set to 3%, was not sufficient to protect the vault against tye economic attack, Harvest Finance opined that a stricter threshold could make such an attack “economically infeasible”.
Some of the other steps include withdrawals in an underlying asset to prevent the attacking entity from generating a profit and using oracles for determining asset price. Besides, it asserted that additional remediation methods will be analyzed and voted on in governance in the coming days.
The DeFi platform had previously stated that there was a “significant amount of personally identifiable information on the attacker”, and that the attacker was “well-known” in the crypto community. Harvest Finance concluded,
“We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage, so we humbly request the attacker to return funds to the deployer, where it will be distributed back to the users in its entirety.”