Harvest Finance (launched in September 2020) is a yield farming platform that farms the highest available yields from DeFi (Decentralized Finance) protocols. It has its cashflow token with the ticker symbol $FARM. In October 2020, the total value locked (TVL) on the platform exceeded $1 billion.
In October 2020, Harvest Finance was exploited for $24 million after an arbitrage trade manipulated the price of stablecoins held in the protocol’s votes. FARM fell by 65% in an hour, and Harvest Finance’s total value locked fell from just over $1 billion to $290 million, according to data from DefiLlama. Its TVL had fallen to $109 million as of June 2022.
it was reported that the anonymous developers behind the project have an admin key that gives its holders the ability to mint tokens at will and steal users’ funds. The holders of the governance key would thus have the theoretical possibility of stealing all of the $1.05 billion in assets committed to the protocol, in addition to the funds in the Uniswap pool.
We hope this will make yield farming more accessible and help create a sustainable community-governed farming cooperative that only has one goal in mind: #BreadForThePeople. 🥖👨🌾👩🏻🌾 
Harvest Finance has a token with the ticker symbol $FARM, which has a supply of 690,420 FARM and is to be distributed for four years from its launch. 
Around mid-October, Harvest Finance accumulated over $334 million in TVL. The following week from this milestone, its TVL doubled to over $704 million, ranking it as the seventh most valuable DeFi protocol, according to DeFi Pulse. As of mid-October 21, 2020, its TVL officially sits at over $1 billion. 
The Harvest Finance protocol is designed to be user-friendly and accessible to everyone. The platform’s interface is straightforward to navigate, and its documentation is clear and concise. In addition, the protocol offers a wide variety of features and customization options, making it an attractive option for both experienced and novice users.
Harvest Finance's protocol design automatically farms the highest available yields and distributes the profits to users in the pool. Most assets can be farmed through the platform. If not, they will be readily available once 'respective strategies get developed.'
The incentives of participating in the platform's protocol include receiving the platform's native token: $FARM. Profits from the protocol are distributed to those who hold $FARM.
FARM token is a governance token for the Harvest Finance platform. FARM is used to stake and vote on proposals to determine the direction of the protocol. The more FARM you stake, the more influence you have on decisions made about the protocol.
FARM Use Case
- Accessing to the Farming Platform: The FARM token grants users access to the Farming Platform. By staking FARM tokens, users will be able to farm a variety of digital assets.
- Receiving rewards: Farmers will be rewarded with FARM tokens for their contributions to the platform.
- voting: FARM token holders will have voting rights on the platform, which they can use to influence the project’s direction.
- listing new assets: FARM token holders can list new assets on the Farming platform;
- trading: FARM tokens can be traded on various exchanges.
$FARM has a total supply of 690,420 FARM. The tokens are to be distributed from its launch (August 29, 2020), for four years. After its first four weeks, it distributed 23555 FARM every week. Its distribution is split into three different categories.
- 70% towards liquidity providers
- 10% rewards for operational treasury
- 20% rewards for the Harvest Finance team
Farm Can be traded on:
On October 23, 2020, CoinTelegraph reported that Harvest Finance has an admin key that gives its holders the ability to mint tokens at will and steal users’ funds. As noted by auditing companies PeckShield and Haechi and highlighted by Chris Blec, a DeFi community member, the governance parameters are not set by a contract with clearly defined rules. An admin key, presumably held by the anonymous developers behind the project, could be used to arbitrarily mint new FARM tokens. This power could allow the governance key holders to create an unlimited number of tokens and drain funds in the token’s Uniswap pool, which holds $12 million in USD Coin (USDC) as of mid-October. 
Haechi highlighted that in addition to the minting mechanics, the governance key holder can change the vault functionality at will, which could be exploited by submitting a bogus strategy that simply sends the funds to an attacker-controlled address. The holders of the governance key would thus have the theoretical possibility of stealing all of the $1.05 billion in assets committed to the protocol, in addition to the funds in the Uniswap pool. 
DeFi investor Tetranode, who allegedly invested 1% of his portfolio in Harvest, requested that the project include a 12-hour lock dashboard. Hence, users would be able to exit their positions within the lock-in period if the developers introduce any dubious changes.  
In response to the audits, the Harvest Finance team introduced a 12-hour time lock that should give enough advanced warning to users if any foul play is detected however this requires constant community vigilance. 
According to reports surfacing on October 26, around $24 million in value was drained from Harvest Finance pools and swapped for renBTC (rBTC) by an unknown attacker.
Harvest Finance revealed that the hacker “manipulated prices on one money lego (curvey pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.” Other funds were mixed through Tornado Cash, an Ethereum obfuscation software. Following the attack, investors appear to have pulled roughly $350 million from the site. The anonymous team behind Harvest Finance said in a tweet:
“We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.” 
The attacker subsequently sent back about $2.5 million to the deployer in the form of Tether and USD Coin. “This will be distributed to the affected depositors pro-rata using a snapshot,” Harvest Finance tweeted.
The team further said the “economic attack” was made possible by manipulating stablecoin prices on Curve Finance, another DeFi protocol that Harvest Finance contracts interact with. The project’s admins claim to have withdrawn “100% of stablecoin and BTC curve strategy funds” to the vault and “are moving to block deposits to the Stablecoin and BTC vault,” the Harvest team said in the project’s Discord.
Farm, Harvest’s native token, fell 54% to $101.79 on the news, according to CoinGecko data. Following the attack, the amount of money locked in the protocol also dropped 70% from $1 billion to $296 million, according to DeFi Pulse. 
Harvest provided a list of 10 Bitcoin addresses of the hacker, where it believes the stolen funds may have been moved. It also asked exchanges like Binance, Coinbase, and Huobi to block the attacker’s addresses. Harvest Finance also appealed directly to the attacker to return funds. “For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar,” the DeFi protocol said in a tweet. 
The platform said that there is a “significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.” Not willing to dox the cyber-thief, Harvest Finance offered a $100,000 bounty “for the first person or team to reach out to the attacker”. 
Did you find this article interesting?