A defi dapp with more than half a billion in locked assets says it was economically attacked.
“The economic attack was performed through the curve y pool, stretching the price of the stablecoins in Curve out of proportion and depositing and withdrawing a large amount of assets through harvest,” they said in an announcement, adding:
“At this point… to protect users, 100% of Stablecoin and BTC curve strategy funds have been withdrawn from the strategy to the vault.
Next: to protect users, we are moving to block deposits to the Stablecoin and BTC vault. Existing deposits will continue to earn FARM.
Like other recent flash loan attacks, the attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC.
This will be distributed to the affected depositors pro-rata using a snapshot.
Action steps complete:
1) All funds withdrawn from curve to vault
2) Deposits disabled for stablecoins and BTC
3) fUSDC share price: 0.834998
fUSDT share price: 0.844731
4) TUSD, DAI, WBTC, RENBTC and other deposits are not affected
5) All existing vaults are stabilized
Next, we are working on tracking the attacker. Flashloan attacker’s BTC addresses:
1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
1CLHhshrusvT4XADWA29R2H4ndsSUamEWn
All of the hacker’s funds are in those BTC wallets.
In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.
We are putting out a 100k bounty for the first person or team to reach out to the attacker and help the attacker return the funds to the deployer address.
We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users.
We will release a post mortem report within the next 16 hours, and work on future risk-mitigation strategies against flashloan economic attacks, including evaluating insurance options, as well as reparation strategies.
For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders.”
They claim: “Like other arbitrage economic attacks, this one originated with a large flashloan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), many times.
The attacker then converted the funds to renBTC and exited to BTC.
Like other flashloan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end.”
However, we could not find a flashloan transaction based on the address they’ve provided, and we’ve never heard of a flashloan in seven minutes.
Flashloans as you know are smart contracts that must be executed in all blocks with the loan repaid at the end of the execution which effectively amounts to imminently.
This person instead seems to have received some $24 million which performs numerous “manual” trades, rather than a one block flashloan execution.
It’s also unclear how this draining of Farm USDC (fUSDC) was done based on y Curve manipulation with it possible some bug was exploited.
There’s speculation this could be a rug pull with Harvest being an anonymous team which moreover has control over the half a billion assets.
“That [then] $1.1 billion is sitting in smart contracts that can be drained with an admin key held by one anonymous developer,” Chris Blec, a security researcher, sayid just three days ago.
The team does not seem to be very responsive on their discord, but there are suggestions 23 BTC has been sent to Binance. We haven’t verified it.
Ethereum’s price fell to $404 while Farm, Harvest’s token, dropped from $230 to below $100 before currently trading at $115.
