On October 26 an attacker executed many transactions using a contract that would execute a pair of flash loans and manipulate the price oracle used for Harvest's pools, thereby creating an arbitrage opportunity on the price of the pool tokens.
Harvest Finance provides farming strategies that move depositor's funds into different protocols, passing rewards from the protocols to the depositors along with their own Farm token. When a user deposits funds into a Harvest pool, they are given pool tokens to represent their share of the pool.
The repository is a Hardhat based re-construction of one example of the exploit. To use it, clone the repository and then install the dependencies with npm install. Rename the .env-sample file to .env and paste in your Alchemyapi url.
Running npx hardhat run scripts/deploy.js from the root will execute Exploit.sol and mimic a transaction that the exploiter ran as if you were the exploiter. This runs on a forked mainnet version from a block in the time of the exploit, and will output to the console indicating the different actions and results from the transaction.
Please note that these contracts are made to run the exploit for educational purposes and are not production worthy.
Still compliing this part.
All of the following transactions were called by the exploiter on the malicious contract. Note that between the 0xfdb57542 and 0x60e11a36 entries there were many more calls to these methods as can be seen here.
- Oct-26-2020 02:53:31 AM +UTC the malicious contract
0xc6028a9fa486f52efd2b95b949ac630d287ce0afis published. - Oct-26-2020 02:53:49 AM +UTC,
init()is called. - Oct-26-2020 02:53:58 AM +UTC,
0xfdb57542is called. - Oct-26-2020 03:01:39 AM +UTC,
0x60e11a36is called. - Oct-26-2020 03:01:48 AM +UTC,
skim()is called, sending funds to0x3811765a53c3188c24d412daec3f60faad5f119b. - Oct-26-2020 03:01:53 AM +UTC,
0x5ee216b5is called, which returns some funds to the Harvest Deployer.