Harvest Finance
HackedDeFi · $FARM · ✝ 2020
A flash loan bent Curve prices and farmed ~$25M from the vaults.
Harvest Finance was an Ethereum yield-farming aggregator hit in October 2020 by a flash-loan price-oracle attack of roughly $25M. The attacker used flash loans to distort stablecoin prices inside Curve pools and exploit the resulting share mispricing.
- Peak
- ~$25M stolen
- Cause
- Hacked
- Year of death
- 2020
☠️ Cause of death
Flash loans manipulated the Curve pool prices the vaults relied on, letting the attacker deposit and withdraw at artificially favorable rates.
📓 Lessons left behind
- —Curve and AMM spot prices are manipulable within one transaction.
- —Reads of external pool state need manipulation-resistant oracles.
- —Yield aggregators inherit every dependency's pricing risk.
🌱 The idea that survived
Manipulation-resistant oracles
Hastened DeFi's shift away from naive spot-price reads toward oracle designs resistant to flash-loan manipulation.
#defi#flash-loan#oracle