Finance Redefined: The curious case of Harvest Finance, Oct. 21-28

Published on by Cointele | Published on

Harvest Finance collected as much as $1 billion in total value locked before an "Economic exploit" sent it tumbling down.

The exploit has once again reignited debates among DeFi community members as to whether these types of flash loan-based arbitrage attacks are actually hacks.

Harvest features yield farming vaults similar to Yearn's.

Some of these vaults rely on Curve's Y pool, which powers liquidity for swaps between USDT, USDC, DAI and TUSD. The attack used flash loans to convert $17 million USDT into USDC through Curve, temporarily boosting the USDC price to $1.01.

The attacker then used another flash-loaned stash of some $50 million USDC - which the system considered to be worth $50.5 million - to enter the Harvest USDC vault.

The attacker would reverse the previous USDC trade back into USDT to bring the price in balance, and then immediately redeem their shares of Harvest's pools to receive $50.5 million in USDC - a net profit of $500,000 per cycle repeated enough times to obtain $24 million in loot.

The Harvest Finance team nevertheless assumed responsibility for this as a design flaw, which is commendable.

Maybe there are other underlying issues, but I think they could eventually bounce back if no more incidents occur.

A ConsenSys report highlights an issue that has kind of been ignored so far, which is essentially the opportunity cost of staking in a DeFi environment.

The idea is pretty simple: money chases the highest yields, and DeFi seems to be offering plenty of them these days.

x