Harvest
  • Harvest Overview
  • Get Started Farming
  • General Info
    • What is Harvest
      • FARM token
      • Communal Harvesting and iFARM
      • Strategy Development
      • Variable Rates of Return - APY %
    • Yield Sources on Harvest - How to Get and Track Them
  • How it works
    • Autopilots
    • How to convert and revert
    • Harvest contracts
      • Vaults
        • Timelocks
      • Strategies
    • Contract Addresses
  • Other
    • Community Apps
    • Translations
      • Official announcements
      • Official announcements (old)
      • Useful articles about Harvest Finance
    • 🎨Media Kit
    • Builders
    • FAQ
    • Coinbase Wallet Quest [Tutorial]
    • Security
      • Bounty Program
      • Risks
      • Audits
      • Incidents
        • fUSDC/fUSDT Economic Attack Oct 26 2020
        • fWETH Revert Failure Sept 18 2020
  • Archive
    • Archived
      • fCASH
        • iFARM and Defi integrations
        • DoHardWork
      • (Old) Getting Started with UNI Pools
      • (Old) Farm with USDC
      • Harvest User Guide
        • How to understand how much you earn
          • Interest rate guide
          • APY Calculation
        • Where to trade FARM
      • Governance
      • FAQ
      • GRAIN token
      • Articles
        • Videos
        • Core Team
        • Podcasts
        • Redmption's Farmers Almanac
      • Merchandise
      • Contests
      • Collabs
      • History
        • History of Strategy
  • legal
    • Terms & Conditions
    • Privacy Policy
Powered by GitBook
On this page

Was this helpful?

  1. Other
  2. Security
  3. Incidents

fUSDC/fUSDT Economic Attack Oct 26 2020

PreviousIncidentsNextfWETH Revert Failure Sept 18 2020

Last updated 1 year ago

Was this helpful?

At 02:53 UTC on Monday October 26th 2020, attackers launched an economic attack on the fUSDC and fUSDT vaults to drain a total of $24 million.

At around 03:30 UTC, users in the Harvest Finance Discord began noticing significant drops in their USDT and USDC balances in the respective vaults.

The Harvest dev team was immediately informed, and shortly after, All DAI, TUSD, renBTC, wBTC, and remaining USDC and USDT funds on Curve were reverting into the vaults pending investigation. Converting into these pools were shortly disabled, while revertings are unaffected.

The attacker had repeatedly exploited the effects of impermanent loss of USDC and USDT inside the Y pool on . They used the manipulated asset value to convert funds into the Harvest’s vaults and obtain vault shares for a beneficial price, and later exit the vault at a regular share price generating a profit.

At around 19:00 UTC the same day, Refer to the article for the latest details on the attack, the attacker, and the current addresses of stolen funds.

All WETH, UNI LP, and SUSHI LP converting are immune from a similar attack. They remain invested and continue to compound. Remaining non reverted funds in the Curve strategies continue to earn FARM.

Curve.fi
a post mortem was posted on Medium.