How Does Harvest Finance Work?

Yield|Risk C|6 mechanisms|5 interactions

A yield aggregator that automatically moves your deposits between DeFi protocols to chase the highest returns. It manages $43M, down dramatically from $1B before its $24M hack in October 2020. Its C grade reflects that devastating exploit and the structural risk of depending on every protocol it connects to.

TVL

$12M

Sector

Yield

Risk Grade

C

Value Grade

C-

Core Mechanisms

Yield/Aggregator

Automated yield farming aggregator optimizing returns across DeFi protocols

Harvest automatically reallocates deposited funds to chase the highest returns across multiple protocols. Users deposit into vaults and receive fTokens representing their share.

Vault/Auto-Compound

Auto-compounding vaults with profit-sharing to FARM stakers

Vaults harvest yield from strategies, auto-compound returns, and distribute a portion of profits to FARM token stakers. 30% of vault profits go to FARM buybacks.

Token/Governance

FARM governance token with profit-sharing and emission schedule

FARM token receives 30% of all vault profits via buyback mechanism. Token also provides governance rights over protocol parameters and strategy selection.

Strategy/Multi-Protocol

Multi-protocol yield strategies across Curve, Aave, Compound, Sushiswap, and others

Strategies deploy capital across numerous DeFi protocols. Each integration inherits the smart contract risk and economic risk of the underlying protocol.

Oracle/AMM-Price

AMM-derived price feeds for vault share calculations

Vault share pricing depends on AMM pool prices, which are vulnerable to flash loan manipulation. This was the exact attack vector in the October 2020 exploit.

Strategy/Flash-Loan-Vulnerable

Strategies interacting with manipulable AMM price sources

The 2020 exploit demonstrated that strategies relying on AMM spot prices for valuation are inherently vulnerable to flash loan manipulation, an insight that has informed the broader DeFi security landscape.

How the Pieces Interact

AMM-derived price feedsVault deposit/withdrawal calculationsHigh

Flash loans can manipulate AMM pool prices within a single transaction, allowing attackers to deposit at artificially low prices and withdraw at inflated prices. This exact attack vector caused the $24M exploit in October 2020.

Multi-protocol yield strategiesAuto-compounding vaultsHigh

Strategies deploy into external protocols. If an integrated protocol is exploited, Harvest vaults auto-compounding into that strategy amplify losses before the strategy can be paused or redirected.

FARM profit-sharing buybackVault profitabilityHigh

30% of vault profits directed to FARM buybacks reduces effective yield for depositors. During low-yield periods, this extraction may push net APY below competitive alternatives, triggering withdrawals.

Strategy migrationMulti-protocol deploymentsMedium

Rebalancing between strategies requires interacting with multiple external protocols. Failed migrations or slippage during large rebalances can result in fund loss or suboptimal allocation.

Auto-compounding mechanismGas cost optimizationMedium

Harvest frequency depends on gas costs and yield size. During high gas periods, small vaults may not be harvested frequently enough, reducing effective yields or making strategies unprofitable.

What Could Go Wrong

  1. Devastating $24M flash loan exploit in October 2020 via price manipulation of Curve pools — TVL dropped from $1B to $335M
  2. Yield strategies depend on external protocol security — aggregator inherits risks from every integrated protocol
  3. Flash loan oracle manipulation vulnerability class remains a structural concern for yield aggregator designs

Flash Loan Oracle Manipulation Replay

Elevated

Trigger: An AMM pool used for vault share pricing experiences >5% spot price deviation from TWAP within a single block, enabling single-transaction arbitrage extraction

  1. 1.Attacker identifies vault using AMM spot price for share valuation Flash loan of $50M+ borrowed to manipulate target Curve or Uniswap pool
  2. 2.AMM pool price manipulated within single transaction Vault share price computed from stale/manipulated AMM price
  3. 3.Attacker deposits at artificially low share price Receives excess fTokens relative to actual underlying value
  4. 4.Pool price restored within same transaction Attacker withdraws at correct price, extracting value from existing depositors
  5. 5.Vault TVL drops as depositors realize losses Confidence collapse triggers withdrawal spiral, repeating the 2020 pattern of $1B to $335M TVL decline
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty0/15
Interaction Severity10/20
Oracle Surface5/10
Documentation Gaps4/10
Track Record15/15
Scale Exposure3/10
Regulatory Risk2/10
Vitality Risk9/10
C

Overall: C (48/100)

Lower score = safer

More on Harvest Finance

Is Harvest Finance Safe?

Safety analysis

Is Harvest Finance a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Yield Explainers

How Does Piku DAO Work?D+How Does Alpaca Leveraged Yield Farming Work?C-How Does Re7 Labs Work?C-How Does AILayer Farm Work?C-How Does Alpaca Finance Work?C-