DeFi Hacks Case Study: Harvest Finance Protocol

by the Crystal analytics team

Apr 14, 2021

In 2020, DeFi (decentralized finance) projects became incredibly popular among cryptocurrency industry users for non-centralized P2P (peer-to-peer) transactions.

According to CoinMarketCap, the DeFi market cap was more than $101.96 billion on April 12, 2021, and the number of projects already exceeds 200+. This is mainly due to the basic principle of the decentralizing projects to promote transparency and flexibility for the user involved. However, due to its relatively recent appearance on the market and the novelty of the technology, DeFi has quite a lot of risks associated.

First of all, with the risk of smart contract hacks, which is what cybercriminals use.

The Crystal Blockchain analytics team analyzed the exploitation of Harvest Finance project, which occurred in October 2020, one of the largest DeFi hacks of 2020.

Harvest Finance protocol and what happened during the breach

Harvest Finance is a farming protocol, or “an international cooperative of humble farmers pooling resources together in order to earn DeFi yields.” According to the team, “when farmers deposit, Harvest automatically farms the highest yields with these deposits using the latest farming techniques.” So the project accumulates value return across various lending protocols, optimizing it for maximum profit.

On October 26, 2020, by manipulating arbitration, an unknown crypto-criminal withdrew to their address about $25 million (~ 13M USDC and ~ 11M USDT) in the following transaction:


What happened to the stolen funds taken from Harvest Finance?

On the very first day, the attacker sent the stolen 13M USDC to another popular DeFi project, Uniswap - a decentralized trading protocol - via the following transaction:


As a result of this exchange or swap of tokens, the hacker received more than 30,377 ETH to his account. All “swap” data is open on the public blockchain.

NOTE: Token swaps in Uniswap are a way to trade one ERC-20 token for another.

On the same day, as a result of twelve transactions in total, the hacker exchanged 11m USDT for more than 26,500 ETH.

As a result of 11 transactions, the hacker transferred most of the received ether into tokenized bitcoin – Wrapped BTC (WBTC), having received a total of more than 1,519 tokens in exchange for more than 51,315 ETH. It should be noted that Crystal also discovered a transfer of 300 ETH to the Tornado mixer in a transaction:


The WBTC received as a result of this exchange was then sent to another DeFi protocol – Ren, from which the attacker transferred the tokens into bitcoins and distributed them to 7 addresses. Their hashes can be seen in a detailed description of the Ren transaction in the visual below, due to their protocol functionality.

Following this, half of the received bitcoins were sent mainly to the Wasabi mixer, but at the same time partially moved to centralized Virtual Assets Service Providers (VASPs) such as Binance, Huobi, and others. The other half of the bitcoins is still lying motionless. Crystal Blockchain will continue monitoring the movement of funds.

Harvest Finance protocol breach 2020: findings & conclusions

The attacker tried to obfuscate (launder) the funds to derail investigations by wiring funds through multiple DeFi protocols. However, given the fact that protocols such as Uniswap (including forks) and Ren provide information about swapping tokens and show final recipient addresses, this method of “ML” cannot be considered efficient.

In such cases, the difficulty is in spending additional resources to "deploy" these swap transactions and find out what exactly happened next. Crystal analytics tags all addresses that could potentially belong to the criminal and which received funds from these swaps. This step will further help VASPs prevent money laundering if they use the analytics software. To really cover tracks, the attackers would have been better served to pass funds through weakly regulated exchanges and traditional "mixers" that are not as easy to track. Fortunately, they didn’t do that here.

Based on the current reality of this relatively novel industry, we can easily say that the decentralized sector is still at the beginning of its development stages, there’s much more to come. We cannot help compare however, and look at the similarities and differences between decentralized (DEX) and centralized exchanges (CEX).

Comparisons between DEX and CEX infrastructural vulnerabilities:

  • Decentralized exchanges DEX, unlike most centralized exchanges, do not require verification from users.
  • DEX member funds always remain under the user's control, while centralized VASPs have full control over funds on CEX.
  • Currently, hackers can find more vulnerabilities in decentralized protocols than centralized platforms, and this is how they withdraw these stolen funds. In centralized platforms, vulnerabilities are generally found in security systems.
  • User funds in the decentralized sector are not protected in any way from the point of view of insurance and coverage of losses as a result of hacking, since these funds remain under the control of users, while insurance pools are formed at some centralized exchanges and compensations are carried out.
  • Decentralized exchanges do not have the possibility to withdraw their tokens to fiat. To do this, users (including cybercriminals) often have to transfer tokens into traditional crypto coins (BTC, ETH, etc.) and then send them to centralized exchanges. This is an extra step for users in terms of liquidation.

What’s to come for DeFi protocols in 2021?

As said in the introduction, the DeFi crypto market cap presented as $101.96b on CoinMarketCap on April 12, 2021, already a 1.79% increase on the day before, and up from $850m in December 2020. According to The Block Crypto, “DeFi... scalability and sophistication is set to compete with centralized services in 2021”. Adrian Peng, CEO of Cook Finance, a decentralized asset management platform, said “We are in the early stages, with a lot of hype and bubbles around it, just like the internet in the 90s”. Investors are expecting meteoric growth in the DeFi sector.

As per any new financial sector surrounded by hype, this does mean a potential increase in scams and security breaches in DeFi as crypto-criminals look for opportunities to exploit protocols and protocol funds for their own gain.

What’s positive though, is that crypto analytics software companies like Crystal Blockchain are adding more DeFi protocol support to their platforms to meet this growing trend and to combat potential illicit activities. To date Crystal covers monitoring for 80+ protocols, along with 1500+ ERC-20 and ERC-721 tokens, with even more coverage expected for decentralized assets in the coming months.

See the Crystal Blockchain platform in action. Get a demo today.

Similar news

Use Case: Crystal Investigations for Tracking Ransomware Payments

Crystal efficiently tracked payments from the victims of the WannaCry virus. It took four days for the virus to spread across 150 countries - it took Crystal only 3 hours to locate the online entity extorting payments from the affected users.

by the Crystal analytics team

Jun 02, 2020

Use Case: Crystal Investigations for Understanding Ponzi Schemes

It is often difficult for users to know whether a mining service is trustworthy. Read on to see how Crystal can be used for due diligence before signing up for a mining service.

by the Crystal analytics team

Jun 02, 2020