The curious case of Harvest Finance, Oct. 21-28

We were graced with one more typical “degen yield farm” popping in and out of relevance this week.

Harvest Finance collected as much as $1 billion in total value locked before an “economic exploit” sent it tumbling down. Its value locked measure now hovering around $300 million and prospects for a recovery looking bleak.

The exploit has once again reignited debates among DeFi community members as to whether these types of flash loan-based arbitrage attacks are actually hacks.

Harvest features yield farming vaults similar to Yearn’s. They issue tokenized vault shares based on the value of the assets supplied by users. Some of these vaults rely on Curve’s Y pool, which powers liquidity for swaps between USDT, USDC, DAI and TUSD.

The attack used flash loans to convert $17 million USDT into USDC through Curve, temporarily boosting the USDC price to $1.01. The attacker then used another flash-loaned stash of some $50 million USDC — which the system considered to be worth $50.5 million — to enter the Harvest USDC vault.

After entering, the attacker would reverse the previous USDC trade back into USDT to bring the price in balance, and then immediately redeem their shares of Harvest’s pools to receive $50.5 million in USDC — a net profit of $500,000 per cycle repeated enough times to obtain $24 million in loot.

So is this a hack or not?

Technically, there were no vulnerabilities involved here. There was a bypassed check for these types of “arbitrage trades” that detects if the price of these stablecoins deviates too much from their intended value. But it was already set quite low and it’s really more of a mild inconvenience than an actual blocker — an attacker just needs to use more exploitation cycles.

This sequence is dizzying, and it still omits many steps.

So in that sense, proponents of the theory that this is just an arbitrage trade are correct — there is no unintended behavior in the code, it’s more like weaponized market manipulation repeated at speed.

The Harvest Finance team nevertheless assumed responsibility for this as a design flaw, which is commendable.

Honestly, I’m not even sure what the point of these semantic debates is. People lost money in a preventable way. An audit should’ve caught this and marked it as a critical issue.

But there’s definitely a case to be made that it’s a different category from bugs like reentrancy. It highlights that these financial building blocks — often referred to as “money Lego” — must be designed with utmost care at the drawing board.

It’s like if somebody created a gun out of Lego parts and people were debating if the gun was “created” or “discovered” because the parts were technically assembled as designed. Either way the Lego parts should be reworked so that they can’t become a lethal weapon.

A bit too much trust for crypto standards

Before the hack, Harvest was notable for its extreme degree of centralization. In its glory days, all of the $1 billion could’ve been stolen by a single address, most likely controlled by the anonymous team behind the project. A couple of audits highlighted that fact, also making it clear that the address was able to nominate minters and create tokens at will.

Fans of the project vigorously defended it, saying that because of the time lock, the governance key holders could only steal the money 12 hours after signaling their intentions, or that they could only print a limited number of tokens.

I’ll let you be the judge of those arguments. The wider point is that in the search for yield, these “degens” are ignoring the basic tenets of decentralization and, you know, what DeFi is about.

And I’m not saying it’s bad because of some idealistic principles I have. It’s because of rug pulls. These are the exact circumstances that led to disasters like UniCats.