I am keeping an eye at FARM and Harvest Finance Project. And this morning i've seen this:
''Harvest finance was hacked!''
So, i was like, hacker?!?
Yes, apparently Harvest Finance was hacked using the Curve y pool, and, to quote them, this was the strategy used:
''Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times. The attacker then converted the funds to renBTC and exited to BTC''
For more informations follow the twitter or discord conversation.
As a direct result of this, they pulled the Stablecoins and Bitcoin pools into the vault, to minimize the damage, but not before the hacker made it out with 25 million dollars. At the moment it is a 100.000 dollars bounty on the hacker, and a request to return the money, as, apparently (and i checked, i swear, this guys do not deserve the hacker name, they are maybe lucky programmers) there is a clear way, easy to follow, to see where the money are gone.
Shall i try? Maybe is not that hard to get the bounty. Let's see.
We got the addresses from the attacker (all of them having BTC and BCH addresses, but i checked a few BCH addresses and they seems to be empty):
1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM - 250 BTC sent to this address before 23274 BTC where sent to Farm vault. That is only 1% lost on this pool. But we also have 44 BTC hacked from another pool, before 23229 BTC were sent to the vault. That is 0.06% drained. This is on the BTC account. The 295 BTC were sent to another 2 addresses:
3C4bs1CLVSa3mohMNZyHQuQqEFpepGYapD 2.00000000 BTC 1BnSTBChHYW1o9c5s4WiE5U319sNaALiR1 293.10150600 BTC Let's follow the big amount, 293 BTC, in particular, and we go through what seems to be a mixer of some kind, and after 6 consecutive transactions, most of the funds are deposited into 16ahto95Dw2V67VwqP373NXuyj1BCP7eeT. Interesting, let's see the second address on the list. 1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm - this one has 199 BTC sent and left there.
14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg - this one has 226 BTC sent and left there.
18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3 - this one has almost 200 BTC sent and left there.
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS - this one has almost 200 BTC sent and left there.
1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa - this one has almost 200 BTC sent and left there.
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn - this one has almost 200 BTC sent and left there.
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS - this one has almost 200 BTC sent and left there.
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn - this one has almost 200 BTC sent and left there.
So, i am thinking that the first one was the test, and he couldn't believe that a vulnerability similar with the ERC777 vulnerability, which is well known into the Chinese hackers circle. Also, the hacker could have been inspired by imBTC Uniswap Pool hack from April 18th, 2020, with some similarities from bZx Flash Attack. But while the mentioned attacks made only 300k and 1 million dollars, this one was done 10 times in a row, with an average of 2.5 millions siphoned with each attack. I will keep the rest of investigation to myself now, just in case i run on some lucky cues, 100k is a nice bounty.
Now, this story may have a happy ending, as they said that personal data of the attacker could be linked to the used account. Also, Bitcoin transactions are public, trackable and stored on the blockchain forever, so they are easy to track, making Bitcoin not ideal to use for hacked cryptocurrency. If you did not know, they can even be traced to the private wifi used when you made the address, and this is easily linked with an identity. There are many other tricks, but we are not here to teach hackers how to properly do it, right?
Anyway, as a word of advice, if you HODL a lot of BTC, you should use a different address for every transaction, combined with a VPN or TOR-onion router, in order to protect your funds. Me, with my 0.1 BTC, i do not feel that threatened at the moment.
Yours truly,
George
Why not...
...have fun and win rewards on blockchain games (Splinterlands - Hearthstone-like card game)
...use the world best cryptocurrency exchanges: Binance, Coinbase and Kucoin.
...get the higher rewards for your investments using Blockfi and Crypto.com. For Celsius.network, use referral 1235256530 for $20 bonus.
The most lucrative faucets that I use: ZEN, ZEC, PIVX, LTC and few others.
Get ETH while writing on Publish0x blog, using the Brave browser - Presearch search engine to maximize your BAT income.
Check my Lbry.tv channel in here. I am also writing on Read.cash (Bitcoin Cash rewards there).
Disclaimer: This text also can be re-published on my personal blogs, such as this one.
It is not perfect and hack will make the DeFi space much stronger.