REALLY?? $25 Million in 7 mins | Harvest Finance Hack Explained #Finance

i often receive emails asking me hey julian can we still make money in d5 or is it too late the short answer is a big yes last week someone made a Profit of 24 million dollar in seven minutes with very little Capital and very little risk in this CashNews.co

i’m going to explain how that happened step by step with all the details it involves a defined protocol called harvest Finance and it used an advanced defined technique

called a flashlight with flash Loans you can borrow millions of dollars without any collateral and you can use the money to make even more money this stuff is really mind-blowing and it’s only in defy is as you can see it’s not too late to make money with flash on so if

you want to learn how to make arbitrage with flash Loan check out my free training down below and if you don’t know me i’m julian and on my channel in the blogs i teach defy and blockchain development harvest

style="font-weight: bold; color: #1a73e8; text-decoration: none;">Finance is a robot advisor for defy which is also called a defy Yield aggregator it automatically allocates your investment into the d5 protocol with the highest return it became hugely popular when it

launched in october 2020 reaching almost one billion dollar in total value locked this is not the first robot advisor for d5 the first d5 protocol that did this was yeon none;">Finance of andre cronray and harvest Finance took the same id and launched its own version of yarn

style="font-weight: bold; color: #1a73e8; text-decoration: none;">Finance with harvest Finance you can invest some stable coins like da usdc usdt but also some

other Assets like rap ether or rap btc harvest Finance forward your tokens into another d5 protocol with the highest Yield in exchange you

get tokens that prove that you have invested in harvest Finance for example if you invest usdc you get f usdc from harvest

style="font-weight: bold; color: #1a73e8; text-decoration: none;">Finance at any time you can redeem your fusdc to get back your original usdc plus the Profit you again paid in usdc as well the rebalancing in the best default protocol is done at every block and that

guarantee you that you get the best Yield at any time okay so now that we have a better understanding of how the javis Finance protocol work next we need to

understand how flashlights work because that’s the mechanism that was used in the hack of the harvest protocol flash Loan allow you to borrow a lot of money on the blockchain without any collateral the without any collateral part is very important usually in traditional

Finance we only lend to the rich but with flash Loan even if you don’t have any Capital you can still access a lot of borrowed

Capital how this is possible and how does the lender can protect itself if you don’t reimburse the money let’s see how this works in a flash Loan you need to deploy your own smart contract that’s the flashlight borrower on this schema the first

step is to borrow tokens from a flashing provider there are several flashing providers and usually there are exchanges like uni swap or rv after once you have the tokens in your flashlight borrow a contract you can do whatever you want with these tokens for example you can do some arbitrage or some

liquidations and after the last step is to return the broad money to the flashlight provider plus a small fee if you don’t do this the whole transaction fails that’s how the lender protect itself everything happened in a single transaction there is no concept of Loan

duration i know this sounds really crazy and there is no equivalent of a flash Loan in traditional Finance this is unique to d5 okay so that’s it for

this explanation of how flashlight work next i’m going to explain the hack of harvest Finance so as i said in the intro someone made 24 million of

Profit with the harvest Finance protocol and a flashlight and i’m going to explain what happened exactly in this section the first step was to borrow a

lot of stable coin in a flash Loan there are several protocols that provide flash Loan but for this hike the attacker chose uniswep so with this uni swap flash Loan the attacker borrowed 50 million of usdc and about 18.3 million of usdt after the

next step was to increase the price of usdc for that the attacker sold for about 17.2 usdt to buy a similar amount of usdc on a pool of curve Finance which is a famous

decentralized exchange when you trade a large amount like this it moved the price of the market that’s what we call slippage so in this case it made the price of usdc go up when you invest usdc in the pool of harvest color: #1a73e8; text-decoration: none;">Finance you exchange usdc against fusdc which can also be called a share of the usdc pool on harvest Finance the price of

the share depends on the price of usdc on curb Finance why curve none;">Finance and not another decentralized exchange this is up to the developer of harvest Finance to decide but my guess why they pick curve

href="https://cashnews.co/finance" style="font-weight: bold; color: #1a73e8; text-decoration: none;">Finance is because it’s the most popular exchange for stablecoin so it makes sense to take the price other ref as a reference because the attacker just made the price of usdc go

up on curve the price of the usdc share on harvest went down or in other terms we can get more share with the same amount of usdc so the next step was to deposit about 15 million of usdc on harvest text-decoration: none;">Finance and get usdc Shares in return after that the next step was to manipulate the price of usdc in the other direction on curb none;">Finance for that the attacker sold 17.2 usdc to buy a similar amount of usdt on curve Finance this caused the price of usdc to go down this time which

made the price of the usdc share go up on harvest Finance or in other terms we need more usdc to buy a usdc share on harvest after that the attacker sold its usdc

Shares by sending the fusdc token to harvest and in accent got the usdc back he got about 15.6 million usdc back which is 600 million more than what was initially used to buy the Shares so in other words that’s a Profit of 600 million so why

is there a Profit here there is a Profit because the attacker was able to buy a usdc share of harvest at a low price and later sell these Shares at a high price by a low sell high the basics of trading and after that the attackers sold this 600

million to gen btc a token that represents btc on the ethereum blockchain and after that he redeemed this gen btc token to btc so he actually got some real bitcoin it seems like the attacker did this in order to be able to use a bitcoin mixer which is a technique used to make it harder to track

your transactions he repeated the process 17 times for the usdc pool of harvest Finance and 13 times for the usdt pool so what the aftermath of this hack it took seven

minutes for the attacker to do this hack he made 24 million dollar which were taken directly from the pocket of other investors of harvest Finance curiously 2.5 million of

Profit were returned by the attacker to the harvest Finance protocol when the news of this became public investors started to free cut which caused a massive

withdrawal of 75 million dollars from the platform the farm token the governance token of harvest also took a massive nose dive and fell 54 to about 100 the team of harvest was pretty fast to respond they announced a bounty of 100 000 to identify the attacker they also said that they actually knew

the identity of the attacker so we can know for sure if that’s true but in any case it’s a nice trick to put some psychological pressure on the attacker harvest none;">Finance also identified the bitcoin addresses involved in the hack and asked the main exchanges to block these addresses the big vulnerability in the smart contract of harvest text-decoration: none;">Finance was that they use the on-chain price oracle of curve Finance it’s very easy to manipulate prices on the blockchain if you

want to protect against this problem you have to use an option oracle like chain link so now that you understand how this flashlight hack work the big question is how you can make that much money yourself first you got to be aware that there is some debate in the community about whether this flash

Loan transaction was a hack or not on the one hand the guy who did this flash Loan just used the code of smart contract and one of the founding principles of blockchain is that code is low whatever you can do with the code you have the right to do it on the other

hand of course the creators of harvest Finance did not intend a smart contract to be used that way what happened was essentially market manipulation currently the device

space is not regulated but in the future at some point regulators will start to have a look and at that time it’s not impossible that regulators will consider this type of operation illegal if and when that happened regulators might decide to find people who were involved in this even for

past operation for example that’s what happened to the guy who operated ether delta the first decentralized exchange who got fined four hundred thousand dollar can you make money with flashlight without taking any legal risk yes you can and the good news is that you can do it in a repeatable

way by running scripts that monitor and execute arbitrage opportunities automatically i explain all of this in my flashlight free training down below and on my channel i also have many other CashNews.cos that tell you everything you need to know about flash Loans and how to make

money with them you can find all of these CashNews.cos in this playlist on my channel i’ll see you there