A hacker has stolen roughly $24 million worth of cryptocurrency assets from decentralized finance (DeFi) service Harvest Finance, a web portal that lets users invest cryptocurrencies and then farm the price variations for small profit yields.
The hack took place earlier today and was almost immediately confirmed by Harvest Finance administrators in messages posted on the company’s Twitter account and Discord channel.
According to these messages, a hacker invested large quantities of cryptocurrency assets in its service and then used a cryptographic exploit to siphon the platform’s funds to their own wallets.
In total, the hacker stole $13 million worth of USD Coin (USDC) and $11 million worth of Tether (USDT), according to a transaction ID singled out by Harvest Finance administrators in a subsequent post-mortem investigation.
Two minutes after the attack, the hacker also returned $2.5 million back to the platform, but the reasoning behind this operation remains unclear.
Company claims to have identified the attacker
In a message posted on its Discord channel, Harvest Finance claimed the attack left “a significant amount of personally identifiable information on the attacker” and described them as “well-known in the crypto community.”
In a series of messages posted on Twitter, Harvest Finance admitted that the attack took place because of a mistake on its part and left the door open for the attacker to return the funds without any consequences.
“We made an engineering mistake, we own up to it,” the company said.
“We do not have any interest in doxxing the attacker […]. People should have their privacy,” the company added. “You’ve proven your point. If you can return the funds to the users, it would be greatly appreciated by the community, and let’s move on.”
We made an engineering mistake, we own up to it. Thousands of people are acting as collateral damage
— Harvest Finance (@harvest_finance) October 26, 2020
The company is now offering a $400,000 bounty to anyone who finds a way to return the stolen funds. After the first 36 hours, the bounty will be lowered to $100,000.
“Please do not doxx the attacker in the process. We strongly advise to focus all efforts on ensuring that user funds are successfully returned to the deployer,” Harvest Finance said.
Credit: Zdnet
