Anonymous devs behind a DeFi yield farm could steal $1B in 12 hours

Published at: Oct. 23, 2020

Harvest Finance, a decentralized finance project that succeeded in attracting over $1 billion in funds locked, has an admin key that gives its holders the ability to mint tokens at will and steal users’ funds.

As noted by auditing companies PeckShield and Haechi and highlighted by Chris Blec, a DeFi community member, the governance parameters are not set by a contract with clearly defined rules. An admin key, presumably held by the anonymous developers behind the project, could be used to arbitrarily mint new FARM tokens.

This power could allow the governance key holders to create an unlimited number of tokens and drain funds in the token’s Uniswap pool, which currently holds $12 million in USD Coin (USDC).

Harvest Finance is an automated yield management system, featuring vault-based strategies similar to Yearn.finance. Haechi highlighted that in addition to the minting mechanics, the governance key holder has the ability to change the vault functionality at will, which could be exploited by submitting a bogus strategy that simply sends the funds to an attacker-controlled address.

The holders of the governance key would thus have the theoretical possibility of stealing all of the $1.05 billion in assets committed to the protocol, in addition to the funds in the Uniswap pool.

In response to the audits, the team introduced a 12-hour time lock that should give enough advanced warning to users if any foul play is detected — but that requires constant community vigilance.

The project is currently running a classical yield farm similar to many of the “food coins.” Users can commit Ether (ETH), Wrapped Bitcoin (WBTC) and other assets, but the highest FARM yield can be found by submitting FARM tokens themselves, without necessarily requiring the additional layer of abstraction of Uniswap pool tokens. Such a circular dependency is characteristic of many crypto Ponzi schemes.

The team is completely anonymous, though the project succeeded in attracting a relatively sizable community and has been involved in the community by doling out grants.

While nothing would suggest malicious intentions for now, the project is strongly centralized and prospective farmers should be aware that they are trusting an anonymous group of developers to resist the temptation to run off with their money, similarly to how the community initially trusted SushiSwap’s founder.

Update, 6 pm UTC: The article was amended with an additional source of information.

Tags
Technology
Ethereum
Defi
Related Posts
Ether already ‘flippening’ Bitcoin, says Celsius CEO
Bitcoin (BTC), the largest cryptocurrency by market capitalization, has already started losing its market dominance to Ether (ETH), according to Celsius Network CEO Alex Mashinsky. In a Monday interview with Kitco News, Mashinsky argued that the Ether “flippening,” or the hypothetical scenario in which Ether overtakes Bitcoin as the world’s most valued cryptocurrency, is already happening right now. Mashinsky said that the flippening has already happened on Celsius. “We manage about $17 billion in deposits, or in customer coins, and the number one coin held in dollar terms is Ethereum,” he said. Mashinsky also predicted that Ether will have completely …
Decentralization / July 6, 2021
Finance Redefined: DeFi party’s over, back to building now, Sept. 30—Oct. 7
This week in DeFi was notable for its lack of notable events. Nobody set new records for the fastest hack of a new contract, nobody famous exit scammed or pulled a DeFi Jesus reincarnation act. You can just feel that something is different now. It used to be that every weekend we’d discover some new exotic food, or someone would launch a vampire attack on another protocol with a cleverly disguised Ponzi scheme. Not to say nothing happened at all this week, but the scope just feels different this time. What really grabbed attention was the price collapse of a …
Technology / Oct. 7, 2020
Unitize Roundup: Top 10 Quotes From the Virtual Blockchain Conference
The five-day Unitize virtual blockchain conference organized by BlockShow and San Francisco Blockchain Week ended with the final session on Friday. The event saw appearances from Heath Tarbert, the chairman of the Commodity Futures Trading Commission; Vitalik Buterin, a co-founder of Ethereum; and Tim Draper, a serial blockchain investor, as well as other speakers from a diverse pool of market segments both within and outside the crypto space. Blockchain adoption, decentralized finance, central bank digital currencies and the future of Bitcoin (BTC) dominated the conversation in many of the panels. The event also saw speakers chart possible paths forward for …
Adoption / July 12, 2020
Filecoin storage tops 1 billion GB as tokenized FIL launches for use in DeFi
Cryptocurrency infrastructure providers Anchorage and Tokensoft are teaming up to wrap FIL, the native token of decentralized file storage network FIlecoin, for use on Ethereum. The firms announced wFIL on Monday, promoting its use in decentralized finance applications including Compound, Maker and Uniswap. Filecoin ecosystem lead Colin Evra stated: “Wrapped Filecoin will enable some really creative DeFi products that create huge opportunities for Filecoin miners and storage users.” The news came the same day that Filecoin announced the storage capacity dedicated by its global mining community has exceeded one exbibyte — equal to more than one billion gigabytes. According to …
Technology / Nov. 25, 2020
From DeFi year to decade: Is mass adoption here? Experts Answer, Part 2
Yat Siu of Animoca Brands Yat is the executive chairman and co-founder of Animoca Brands, which delivers digital property rights to the world’s gamers and internet users, thereby creating a new asset class, play-to-earn economies and a more equitable digital framework contributing to the building of the open Metaverse. “2021 was the year of NFTs, and in the second half of the year, we saw a growing emphasis on GameFi. This trend will continue well into 2022. Real mass adoption of DeFi will happen via GameFi, which will explode in growth during 2022 as the potential for mass financial inclusion …
Decentralization / Dec. 22, 2021