Cyber Incident Victim: Harvest Finance
Date:
Oct 2020
Location:
United States of America
Summary
A hacker exploited a cryptographic vulnerability in a decentralized finance service, Harvest Finance, to steal approximately $24 million in cryptocurrency assets, specifically $13 million in USD Coin and $11 million in Tether. The attacker briefly returned $2.5 million post-theft for unclear reasons, while administrators acknowledged an engineering error and appealed for the funds' return without retaliation, offering a $400,000 bounty that would decrease over time. The platform claimed to possess significant identifiable information about the perpetrator but emphasized privacy and discouraged public exposure efforts, urging focus on recovering user assets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 26, 2020, Harvest Finance, a decentralized finance (DeFi) platform enabling cryptocurrency investments and yield farming, suffered a security breach resulting in the theft of approximately $24 million in digital assets. The attacker exploited a cryptographic vulnerability within Harvest Finance’s system by first depositing substantial cryptocurrency amounts into the platform and then manipulating the protocol to illicitly transfer funds to external wallets. Harvest Finance administrators confirmed the incident within hours through announcements on their official Twitter account and Discord channel, identifying the stolen assets as $13 million in USD Coin (USDC) and $11 million in Tether (USDT). Two minutes after the initial theft, the attacker returned $2.5 million to Harvest Finance, though no explanation for this partial reimbursement was provided. Post-incident analysis by Harvest Finance revealed a transaction ID linking the attack to the stolen funds and suggested the attacker left behind a significant amount of personally identifiable information (PII), describing the individual or group as "well-known in the crypto community." The breach was attributed to an engineering error in Harvest Finance’s system design, which the company publicly acknowledged as its responsibility.
Harvest Finance’s response included direct communication with the attacker, urging the voluntary return of the remaining funds without legal repercussions or public exposure. In messages posted to Twitter and Discord, the platform stated it had "no interest in doxxing the attacker" and emphasized respect for privacy, while appealing to the attacker’s reputation within the cryptocurrency ecosystem by noting, "You’ve proven your point." Concurrently, Harvest Finance announced a bounty program offering $400,000 to anyone facilitating the recovery of the stolen assets, with the reward reducing to $100,000 after 36 hours. The company instructed participants to avoid disclosing the attacker’s identity, stressing that efforts should prioritize fund recovery. No additional technical details about the exploit or long-term remediation steps were disclosed in the immediate aftermath. The incident disrupted user operations and eroded trust in the platform, with Harvest Finance committing to transparency in its post-mortem findings while focusing on mitigating financial losses for affected users.