defirisk.co
rubric v1.7.0

Harvest Finance: Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain

An attacker flash-loaned $50M and cycled a Curve pool stablecoin imbalance 32 times over 7 minutes, exploiting Harvest Finance's spot-price oracle to drain $33.8M — while leaving $400M more vulnerable but untouched.

Occurred 2020-10-26 Loss $34M Status closed

Summary #

Harvest Finance suffered a Yield Aggregator / Vault on 2020-10-26, resulting in a loss of approximately $34M.

What happened #

An attacker flash-loaned $50M and cycled a Curve pool stablecoin imbalance 32 times over 7 minutes, exploiting Harvest Finance's spot-price oracle to drain $33.8M — while leaving $400M more vulnerable but untouched.

Linked factors #

  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code — design flaw survived all three reviews]
  • RD-F-053 — causal : ★ Oracle source = spot DEX pool (no TWAP, no fallback) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-055 — related : Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-056 — related : Single-pool oracle (no medianization) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — bank run of ~$700M TVL followed immediately post-attack; no pre-attack TVL signal] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability reasoning: The 32-cycle attack over 7 minutes generated extremely large and anomalous Curve Y-pool swaps repeatedly — a monitoring system watching for ...]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — Curve Y-pool USDC/USDT ratio was visibly distorted on every exploit cycle]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — $50M flash loan from Uniswap initiated each cycle]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous (Harvest dev team anonymous; 0xf00d deployer address)]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — inspired by Yearn Finance vault architecture]