Harvest Finance Hack 2020 — $34M Exploit Analysis

Harvest Finance vaults were drained via flash loan price manipulation of Curve's USDC/USDT pools, exploiting the vault's reliance on spot prices.

Details

Full Description

The attacker used a $50M flash loan to manipulate USDC/USDT prices on Curve Finance's y pool, temporarily pushing the price of USDC below peg. Harvest Finance's USDC vault calculated share prices based on this manipulated spot price, allowing the attacker to deposit and withdraw repeatedly at artificially favorable rates, extracting profit each round.

Laundering Analysis

The attacker converted profits to renBTC and withdrew to a Bitcoin address. Approximately $2.5M was returned to the Harvest deployer address shortly after the attack — possibly a goodwill gesture or error. Remaining $31.5M moved through Bitcoin mixing services. The attacker left a message saying the exploit was 'not intentional' which was widely dismissed.

Sources

Transaction Hashes

Related Hacks

Back to Browse