The decentralized finance (DeFi) space is back in the spotlight again after another hack or exploit occurred. This time around, around $ 25 million worth of Ethereum-based stablecoins were stolen.
While this isn’t the biggest hack in cryptocurrency history, this has already been branded as notable as the project that was exploited was Harvest Finance. The yield-earning platform had garnered a lot of attention in the past few weeks after a number of major DeFi investors started mentioning and using the platform. Some have labeled it as a competitor to “Yearn.finance”, comparing the two platforms to some degree.
How $ 25 million of Ethereum-based stablecoins were stolen from Harvest
In the late evening of October 25, Ethereum users began to notice large transactions going on on the chain involving a number of crucial DeFi applications: Uniswap, Curve and Harvest Finance.
With the huge number of these transactions going on, it became clear that something had gone crazy.
Analysts quickly pointed out that the attacker was likely carrying out some sort of arbitrage attack, in which they used flash loans to systematically drain funds from Harvest due to inefficiencies between protocols.
A flash loan is a native DeFi concept where a user can borrow a huge amount of capital (often stablecoins) in a single transaction without providing collateral, then make sure to pay back the funds (plus an additional fee) at the end of that transaction.
A suspicious transaction is highlighted in the image below:
In all, $ 25 million worth of stablecoins were stolen from Harvest Finance pools through more than one transaction. The stablecoins have since been converted to RenBTC, which in turn has been redeemed for BTC. The attacker’s Bitcoin wallet has yet to be identified.
$ 2.5 million was returned to the Harvest Finance administrator for an unknown reason. The latter sum will be returned to users on a proportional basis.
There is some fallout in the DeFi space online. There has been some cheering for Harvest because it was the first completely anonymous DeFi team to have built a DeFi application on that scale. There are some who are attacking the concepts of anonymous teams, however, arguing that this is likely to have been an inside job.
There are also some unexpected winners from this.
Analysts shared information online indicating that since this attack involved Curve and Uniswap, those providing liquidity to the pools benefited greatly from the exploit, even if they did not approve of what was happening.
Uniswap liquidity providers earned around $ 6,000,000 while Curve liquidity providers earned $ 1,000,000, it was estimated.
– Jiecut (@ jiecut42) October 26, 2020
Away from the first flash loan attack
This is far from the first flash loan-based attack on a DeFi application.
As many will recall, Yearn.finance founder Andre Cronje has released trial contracts for an on-chain gaming experience called Eminence Finance. Although the contracts were clearly an experiment, users amassed $ 15 million in DAI.
The funds were stolen from the contract by someone who used a flash loan to drain the funds from the pool due to an exploit in the way the contract coins were distributed.
Other DeFi attacks have also exploited flash loans to quickly arbitrate inefficiencies between DeFi protocols, allowing for the theft of funds or at least the transfer from those who are unaware of the arbitration to those who do.
It could be argued that these are not “exploits” per se, but just natural inefficiencies in the DeFi market.
Do you like what you see? Sign up for daily updates.