In another major blow on the decentralized finance (DeFi) sector, a hacker on Monday reportedly stole $24 million worth of cryptocurrency assets from DeFi service Harvest Finance, a web portal that lets users automatically “farm” assets for the highest returns in other DeFi projects.
The attacker reportedly targeted the protocol’s liquidity pools, performing an arbitrage attack using a flash loan, a method that enables a trader to take on massive leverage without any downside. The hacker, however, later returned some $2.5 million.
In a tweet, Harvest Finance said the hacker “manipulated prices on one money lego (curve y pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.”
RenBTC is a bitcoin-backed token issued on Ethereum by Ren Protocol. Coindesk reported that Harvest’s native token, Farm, dropped by 65% in less than an hour after fretful investors pulled their deposits. It was followed by the project’s total value locked (TVL) plunging from over $1 billion to $430 million.
After the hack, the funds were eventually swapped for bitcoin (BTC), but not before being swept through Tornado Cash, Etherium’s mixing service.