Sarson Funds Oct 27 . 2 min read

Harvest Finance Hacked: Flash Loans and How to Mitigate Risk of Loss

Harvest Hacked and how to protect against losses

Weekly Analyst Thoughts

Harvest Finance Hacked: Flash Loans and How to Mitigate Risk of Loss

This past weekend, Harvest Finance, a Defi yield farming protocol, was hacked using a Defi transaction mechanism called a flash loan. A flash loan is a specific type of transaction where the borrower must repay the loan in the same blockchain transaction. If the borrower does not repay the full loan (principal + interest), the transaction reverts, so as to seem like the flash loan never happened. Like Harvest, Aave also supports flash loan transactions and credits much of its meteoric 2020 price rise to this feature.

The Harvest Finance attack was executed through the Curve Finance Y pool with a flash loan. As seen below, Harvest’s near $3 billion in volume and over 170% APY raised concerns that there was irregular activity in the Curve Finance pool.

Source: Curve.fi

The takeaway from this clever arbitrage on Harvest Finance is that even if a yield farming protocol has multiple layers of audits (as Harvest did), it can still be vulnerable to attacks. So, don’t let the fact that a protocol is audited give a false sense of security when investing in Defi yield farming protocols. Instead, it is safer to diversify risk by investing with several reputable yield farming platforms (Ex: Uniswap, Balancer) to mitigate the risk of lost funds through sophisticated flash loan attacks.