What Happened

Harvest Finance (Backtest 2020-09-01)

$34M|Smart Contract Exploit|October 26, 2020

Flash loan price manipulation — attacker used flash loans to manipulate the USDC/USDT price on Curve Y pool, then deposited into Harvest fUSDT/fUSDC vaults at the manipulated price, withdrew at the real price, repeating the cycle ~32 times to drain $34M in 7 minutes

What Hindenrank Would Have Said

As of September 1, 2020

D
Risk Score
66/100

Very high risk — an unaudited yield aggregator with anonymous team control and a critical flash loan vulnerability in its vault pricing mechanism. The use of spot Curve pool prices for deposit/withdrawal calculations is a known attack vector since bZx (Feb 2020). Avoid depositing significant funds until audits are completed and oracle-resistant pricing is implemented.

Mechanism Novelty10/15
Interaction Severity16/20
Oracle Surface9/10
Documentation Quality8/10
Track Record10/15
Scale Exposure3/10
Regulatory Risk4/10
Protocol Vitality6/10

Grade Predicted This Failure

Flagged by dimensions: Mechanism Novelty, Interaction Severity, Oracle Surface, Documentation Quality, Track Record, Protocol Vitality

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

  1. 1.Vault share price uses spot Curve pool prices — vulnerable to flash loan price manipulation at deposit/withdrawal boundaries
  2. 2.Anonymous development team holds single admin key capable of minting unlimited FARM tokens and changing vault strategies to drain funds
  3. 3.No completed security audit at launch — rapid deployment during DeFi Summer without formal review of flash loan attack vectors
  4. 4.Yield aggregator composability risk: strategies deploy user funds across multiple external protocols (Curve, Compound), compounding failure surfaces
  5. 5.12-hour timelock on admin actions is insufficient for users to react to malicious governance changes

Collapse Scenarios

Flash loan price manipulation drains vaults via Curve spot price dependency

Elevated
Trigger

Attacker identifies that Harvest vault share pricing uses spot Curve pool ratios and constructs a flash loan attack cycle: borrow -> swap to manipulate price -> deposit at manipulated price -> reverse swap -> withdraw at true price

Cascade
1.
Attacker takes $50M+ flash loan from Uniswap or dYdXAttacker has temporary capital to manipulate Curve pool prices
2.
Large USDC-to-USDT swap on Curve Y pool distorts spot price ratioHarvest vault calculates artificially low share price for deposits
3.
Attacker deposits into Harvest vault at manipulated (cheap) price, receiving excess fTokensAttacker holds more vault shares than the deposit value warrants
4.
Attacker reverses the Curve swap to restore true price, then withdraws from vaultWithdrawal returns more underlying assets than deposited, extracting value from other vault depositors
5.
Attack cycle repeated 30+ times in rapid succession within minutesCumulative extraction of tens of millions from vault pools
6.
Remaining depositors panic-withdraw, TVL collapses, FARM price crashesBank run drains protocol of remaining deposits and FARM token becomes near-worthless
Historical Precedent

bZx flash loan attacks (February 2020) used identical pattern: flash loan -> DEX price manipulation -> exploit protocol using manipulated price -> profit. Lost ~$954K across two attacks. Harvest's vulnerability is the same class but with larger TVL exposure.

Admin key rug pull by anonymous developers

Moderate
Trigger

Anonymous development team decides to exploit their admin key privileges to drain vault funds or mint unlimited FARM tokens

Cascade
1.
Admin deploys a malicious vault strategy that redirects funds to attacker wallet12-hour timelock begins countdown, but most users are unaware
2.
After timelock expires (or if timelock is bypassed), malicious strategy activatesAll vault deposits routed to attacker-controlled address
3.
Community discovers the drain, mass panic ensuesFARM token price collapses to near zero, remaining funds are withdrawn in panic
Historical Precedent

Multiple anonymous DeFi projects in 2020 executed rug pulls (SushiSwap Chef Nomi, YAM Finance governance issues). Anonymous team + admin key is the highest-risk governance configuration.

Mercenary capital flight triggers bank run during FARM emission decline

Moderate
Trigger

FARM token price declines 50%+ or weekly emission rewards become insufficient to attract capital, triggering mass withdrawal

Cascade
1.
FARM price drops significantly as initial hype fades and emissions decayYield from farming FARM tokens becomes unattractive relative to competing protocols
2.
Mercenary capital begins withdrawing from vaults to chase higher yields elsewhereTVL drops rapidly, reducing fee revenue for remaining FARM stakers
3.
Reduced TVL and revenue creates negative feedback loop — less yield attracts even fewer depositsProtocol enters death spiral of declining TVL, yield, and token price
Historical Precedent

YAM Finance (August 2020) experienced rapid capital flight after a governance bug, losing 90% of TVL in days. DeFi Summer 2020 has seen multiple yield farm collapses when incentives decline.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View LeaderboardAll Backtests