Bitcoin Forum

An exploit in DeFi protocol Harvest Finance has caused over $25 million in funds to be stolen. Most of these funds have been traded for renBTC and mixed through Tornado Cash.

The protocols native token FARM has fallen 65% in value.

It's possible that this could be an exit scam since Harvest Finance's anonymous devs supposedly have an admin key that can drain the protocol's contract.

https://www.coindesk.com/defi-platform-harvest-finance-exploit

Lets not come to any conclusion so quickly but this quote from the article sounds very suspicious. The attack comes after DeFi analyst Chris Blec claimed Harvest Finance’s administrators held an “admin key that can drain funds” locked in the protocol’s contracts. Only people who carry the load of this would be investors. so sad.

It comes as no surprise for most of us. Though DEFI are a good option, there's no market large enough to sustain a lot of them and it's still would be difficult for good ones to bring insanely large profits as the DEFI are generally characterized by lower fees. When people are here for overnight money doubling, it's possible only when you are scamming your own customers and investors.

If I am not mistaken KAVA protocol too had a side-project called HARVEST, right? is it the same project or a different one? These anonymous devs and their unaudited contracts are getting worst each day.

The team is giving out more and more info and I guess it was not from an insider.
They claim it were from an exploit that was done "by manipulating stablecoin prices on Curve Finance, another DeFi protocol that Harvest Finance contracts interact with."
They have pointed out some addresses on twitter who were involved in casing out the coins and have asked help from prominent exchanges to track and prevent coins of those address being converted or withdrawn to other coins.
Source:
https://twitter.com/harvest_finance

Harvest Finance is currently under a FUD attack by that Twitter personality Chris, fudders on 4chan, Discord, Telegram, and other social media pages. A paid group began actively targeting the project after it reached 1 billion USD in managed funds. Many suspect the hack and paid fudders come from CZ or FTX as they have competing projects and FARM was growing too quickly for their liking. I've been in crypto long enough to see what is happening and bought the dip at 80usd. The price is now well over 100usd and I've done quite nicely.

That's the thing having an anon dev. No matter we secured the project the outcome can be like this. Im sure no one is blaming them, but we dont know if this an internal planned exit or what. Who would know even the article could be also misleading or a form of diversion.

Im not saying they are the culprit, just viewing a possible scenario that this might actually happened since it has been pulling of with a lot of projects in the past. Like cbdao and many more.

Regardless though, the money has been drained, and as far as I know Chris Blec is investigating it and usually he is spot on with his conclusion. This is huge amount to be lost in this Defi hype, another blow to it's reputation and it people should be careful as we have been sweep under with this hype and resulting to millions of dollars being lost to this scammers.

Whatever be the cause, it's the team which should take the responsibility. Wherever the exploit came from, every lines on defi smart contract should be properly analyzed and verified by the developers. After that, it also goes through audit by and external auditor. The exploit seems to miss both of them or both of them were involved in this plot. It's the disaster caused by the Defi hype as inexperienced developers saw money on Defi and jumped into it.

Looks like attackers's BTC addresses have been identified:
source (https://twitter.com/harvest_finance/status/1320614699684298754)

The team also notified different exchanges to block those addresses but good luck to them if they use bitcoin mixers/coinjoins to move the funds.

Another interesting development to the case is the team claiming they've somehow identified who the attacker is but refused to name him/her because of the reputation s/he has in the crypto community.

^ Maybe talk to the guy who said something about admin key and get your $100K bounty  ;D

---

Regardless of who the attacker is or what motive s/he has, it doesn't changed the fact that DeFi projects are open for exploits. This is another proof that these projects aren't really decentralized and trustless. Best of luck to all investors/speculators. Another money down the drain.

Yes possible since as you said they are anonymous  developer and they have nothing to lose in case they run peoples money.
they did it to facilitate the sale and their investors could not even suspecting them . easy exit scam idea for a new project with anonymous teams Maybe they did it so that there would not much investigation and just blame it all to hackers.

DeFi starting to get messy. Anonymous devs team are starting to backfire and idiot investors that keep swarming on hype defi coin never learned there lesson. It's not easy to exploit there code and this garbage bounty hunting for the scammer is just a show to redirect crowd attention. This DeFi system will never gonna work for anonymous devs because they will keep destroying there own project once they secure enough funds on there wallet. People never learned on this kind of scheme especially during Sushi swap creator runaway the project funds.  :-\

Pretty much the intention is very simply, stole money from unsuspecting victims and ran off and used conjoin mixers to hide their track. So simply don't touch the money and wait for the imminent bull run next year, win-win situation for the criminals.

As far as DeFi goes, the picture has slowly crumble, and just like what majority of you said prior to this hype, it is comparable to 2017 wherein scammers and hackers are everywhere. The main difference is that criminals now are having an easy time breaching or exploiting these codes and then slowly draining them. How much can investors take? Your guess is as good as mine. Perhaps billions will be lost in the future before we really learn our lessons.

If you are actively following the topic of hacks, then read this topic.
https://bitcointalk.org/index.php?topic=5267124.0
A little money was stolen for the project and it is good that the amount of damage will not increase.
But this is a very small amount when compared to theft from centralized exchanges.

KAVA project is different and this is different. Kava Harvest protocol ticker is HARD and this is FARM. I was also confused at first.

Any DeFi projects can get hacked either through the platform or through exchanges, been DeFi doesn't mean the project is hack proof, few DeFi  projects got hacked through kucoin exchange weeks ago and I'm surprised that few of these DeFi projects changed their smart contract because of the hack, revealing that they aren't 100% decentralized.

Another Defi mess, why people (investors) dont consider it in the first place before doing such thing as investing, I think they simply trust their money in the unknown developer's Defi project, Because IMO, hiding in anonymity in the name of Decentralization is already a "red flag" unless there is some legitimate and known representative to act on behalf of the anonymous team, The other problem is the unaudited smart-contract function it was also important because how do we know if there is something hidden key in the smart-contract to drain the funds intentionally in the future.   

Thats simply means there are still bug in that platform and we can't fully trust are money there. they needto improve their security if they don't want that glitch will happen again in thier exchange. Even they stoled only small amount for that we cant still be comfortable and hackers will always  find holes. that can be used later and can have a big impact on this exchange.

If truly the admin have back-end access to peoples account then it must an inside job. However, this will be a serious issue since the team are anonymous. How to know exactly who the team are will need to be uncovered before going further to press any charges. Investors should be conscious of dealing with faceless people especially when investing huge amount into a project

Theft from centralized exchanges are something comparable to a disaster ;D !
Just take a look on Mtgox or QuadrigaCX two of major collapse (and many many other like cryptopia o mintpal) .
However what I find very curious with DeFi scam it's the chance that people have to take a look inside these codes/smart contract/ holder list.
It's not a "back end access" matter... Since no one has a real knowledge of coding (and mostly are just searching "the new bitcoin") these scam can just become more frequently.

If it's insider job then people should already realize that anonymous dev means red flag and if it's not an insider job then we should be concerned about the security of defi projects and why it can be exploited like that. Feels like these project are some half baked project made by some small anonymous team. but "admin key" in a project that's supposed to be "decentralized" sounds really fishy. I'd stay away.

when they say that the project team is anonymous it will make it easy for them to scam because the reason is that no one knows the identity of the DeFi project maker which ends up threatening many people with a time bomb that could explode and make a lot of people lose.

some people won't care of that but they care more on the profit . this is crypto and defi is decentralized so having an anonymous Dev can also be legal ?

all on this space can be exploited like that even without that admin key thing but this case is more serious because they have that admin key thing , right at the start of thier run they already announce that they have this admin key thing ? Because if yes then there will be less people that are going to participate with it because of its risk

It feels like the defi craze is gradually coming to an end with the several attacks we're experiencing in the space. It's best for liquidity providers and investors to consider other sources of income from the space. I was certain that the defi bubble would come to halt one way or the other and it seems to be on the verge to accomplishing that.

Will it be right to say that most developers are now using the anonymous nature associated with DeFi projects to carryout a lot of unworthy acts. "anonymous Devs having an admin key", although I don't know much about this project but what if it's true? $25 million is a huge amount and this will only cause more users to dump their token sooner than later because the trust has been lost. Also, this will make other Defi projects with anonymous team to be questioned.
DeFi is now lossing reputation as day goes by, on one hand the hype is dropping fast and on other hand, people are now battling with scams, exploits and so on; maybe this is ICO era repeating itself again and therefore everyone needs to be careful of the promises most of these projects are making.

There is absolutely something Fishy with this hacked brouhaha. The hacker return 2 million back, this is definitely an insider Job just like Kucoin. They should involve the authorities, if they make thorough investigation, they would have a lead.

DeFi is just too risky, I like the techno-finance trend but decentralization comes with risk as well. I feel safe to buy an existing top market tokens with fibonacci correction than invest on new projects.

as long as they dont care about developers background victim will always occur in cryptocurrency market, investors give too many chance for scammer to life in this market. they only care about trend in market but forget about risk that may involve on it. in my opinion defi was not interested anymore, investos looking at NFT project now  and some old coins in market that have low price.

The problem is not the Anonymity. Anonymity is part of the feature of true Cryptocurrency. Without it, a decentralized network could be vulnerable to multiple  attack types.
A good developer can go through kyc verification while still remaining anonymous if his/her real verified identities can be immutably/permanently linked to his/her decentralized account. The developer can then create anonymous account/accounts from the verified identities, which can be unmasked or de-anonymized by the network if he/she commits a serious crime, like hacking, stealing of funds etc

Part of the problems with Defi is that it's an ecosystem that tolerate taking big financial and security risks on new platforms that haven't been thoroughly or well tested.  I read somewhere that the platform was even audited. An auditor/auditors probably gave the platform a pass mark. So, what then went wrong? Most likely was audited by unqualified, compromised , or few auditors... it wasn't unedited well enough etc

I read a good suggestion on the Monero subeditor. Be smart people and cut out the middle man. Better buy Monero instead of giving wealth to these scammers fro them to buy Monero. Just do it yourself and cut out the middle man. :)

First it was Yam Defi token and now it Harvest finance. This is awake up call for all Defi project investors to always the danger in a Defi project before invest in it because a project which it Dev was an anonymous individuals and also have an admin key that could empty the project protocol contract is definitely a failed project from the beginning.

Blaming it on the hackers is the easiest coverup in crypto space.
Many exchanges have done so, so if DeFi projects are doing it, i wouldn't be surprised.

But alas, that's the risk of current yield farming craze, there's barely, if any contract audit that would guarantee safety of the investors.

Next time you want to yield farm, check the contract, read it, try to understand it. They're not big, and anyone with some technical language can understand what they do.
If anything is suspicious, stay away from it

That's why never invest in anything we don't know whose the operator, developer or behind that project. When it comes in DeFi project I usually watch live stream explanations of them about their project in their YouTube accounts or website. to see their personality and how well they know their project when there's a Question and answer part. If they believe in their project, they will reveal their identies

The main issue here is that the team is anonymous, I don't understand why people are convinced that they can give the control of their money to someone they don't know. The second issue here is that all these Audit forms need to take responsibility for some of these hacks, if you are paid to look for vulnerabilities and weeks after the protocol is exploited, is it not possible that you see the exploit and leave it for some weeks and later exploit it yourself. Anyone using DEFI should understand they risk and he/she stands the chance of losing all their money

But Monero has it's fair share of de-listing? the latest is the Bitvavo, a European exchange, removed Monero due to AML5 regulations (https://www.reddit.com/r/CryptoCurrency/comments/jierij/monero_being_delisted_future_of_privacy_coins//). What's funny though is that the hackers has supposedly return $2.5 million, it's just like when you get mugged on the streets and then these criminals left you some money so that you can go home.  ;D. Interesting to note though that the supposedly hackers have left a footprint that it is identifiable, and as per Harvest Finance  "well-known in the crypto community."

It has now been confirmed by Harvest representative that the attacker “manipulated prices on one money lego (curve y pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.” Source here (https://news.bitcoin.com/defi-protocol-harvest-finance-hacked-for-24-million-attacker-returns-2-5-million/).

The key features are:
- Harvest Finance was hacked on Monday for $24 million
- protocol’s liquidity pools were the targets
- attack consisted of an arbitrage attack using a large flash loan – a type of uncollatarized loan –
- hack complete in 7 minutes

All of the above factors go to show that this was a very quick attack and unsurprisingly a well strategised one. It also emphasises the thing we all hear about 'security', and how important that can be even at time when you think you're all set. Sad to hear that this has happened.

The scams are popping up in the hype market of DeFi every week and scammers are taking advantage of the hype and the lesson here is that do not invest in anything that have anonymous developers, if people did not learn that basic from the ICO shit days then they have to be blamed.

Heading should be, another shitty scam in DeFi :P.

Woah!
Those are huge transfers, the first one with 295 BTC transferred and the next one holds 199 BTC. I guess it's just a matter of time then these will be on dumped.

What happened? I don't understand the reason for a project not to show team information clearly. As we know, Defi was born because of transparency and freedom. But the project is not honest, you don't have to know who our team is, because we will steal your money. crazy defi

Things like this are likely to happen as it also happened when ICO is booming 2-3 years ago.
It is possible that this is just another exit scam and they just say that it has been exploited but in reality the devs just sold it out of nowhere.

Like I'm always saying, if you see value to your money then at least don't invest into these new projects for now since things like this are likely to happen. Exploits, hacks, exit scams etc. but if you really want to invest then good luck :D.