The anatomy of a $25m DeFi exploit on Ethereum
The decentralized finance (DeFi) space has once again come under the spotlight after another hack or exploit took place. This time, approximately $25 million worth of Ethereum-based stablecoins were stolen.
While this is not the largest hack in crypto history, this has already been branded as notable as the project that was exploited was Harvest Finance. The yield-earning platform had garnered much attention over recent weeks after a number of notable DeFi investors began to mention and use the platform. Some branded it a “Yearn.finance” competitor, comparing the two platforms to some extent.
How $25m worth of Ethereum-based stablecoins were stolen from Harvest
Late on the evening of Oct. 25, Ethereum users began to notice large transactions taking place on-chain that involved a number of crucial DeFi applications: Uniswap, Curve, and Harvest Finance.
With the sheer number of these transactions taking place, it became clear that something was amok.
Analysts quickly highlighted that the attacker was likely completing some sort of arbitrage attack, where they utilized flash loans to systematically drain funds from Harvest due to inefficiencies between protocols.
A flash loan is a DeFi-native concept where a user can borrow a massive amount of capital (often stablecoins) in a single transaction without putting up collateral, then ensure they return the funds (plus an additional fee) at the end of that transaction.
One suspicious transaction is highlighted in the image below:
In all, $25 million worth of stablecoins were stolen from the Harvest Finance pools through multiple of these transactions. The stablecoins have since been converted to RenBTC, which in turn were redeemed for BTC. The attacker’s Bitcoin wallet has yet to be identified.
$2.5 million was returned to the Harvest Finance admin for an unknown reason. The latter sum will be returned to users on a pro-rata basis.
There is some fallout in the DeFi space online. There were some rooting for Harvest because they were the first fully anonymous DeFi team to have built a DeFi application at that scale. There are some that are bashing the concepts of anonymous teams, though, arguing it is likely that this was an inside job.
There are also some unexpected winners from this.
Analysts shared information online indicating that because this hack involved Curve and Uniswap, those that were providing liquidity to the pools profited handsomely from the exploit, even if they didn’t endorse what was going on.
Uniswap liquidity providers made around $6,000,000 while Curve liquidity providers made $1,000,000, it has been estimated.
— jiecut (@jiecut42) October 26, 2020
Far from the first flash loan attack
This is far from the first flash loan-based attack on a DeFi application.
As many may remember, Yearn.finance founder Andre Cronje released test contracts for an on-chain gaming experience called Eminence Finance. While the contracts were clearly an experiment, users piled in $15 million worth of DAI.
The funds were stolen from the contract by someone who used a flash loan to drain the funds from the pool due to an exploit in how the contracts’ coins were distributed.
Other DeFi attacks have also leveraged flash loans to rapidly arbitrage out inefficiencies between DeFi protocols, enabling funds to be stolen or at least transferred from those without knowledge of the arbitrage to those with knowledge of it.
It could be argued that these are not “exploits” per se but just natural inefficiencies in the DeFi market.