Sunday, November 29, 2020

Anonymous devs behind a DeFi yield farm could steal $1B in 12 hours

Must Read

Guggenheim Partners prepares to dip investment fund’s toes into Bitcoin

An SEC filing on Friday indicates that the next Wall Street institution to take a public position in Bitcoin may also be among the...

HUGE Altcoin Potential: Ethereum (ETH), Quant (QNT), TomoChain (TOMO), Kava.io (KAVA)

Bitcoin is still fighting to reach an new all time high. So in the meantime, let's examine some of the altcoin projects that will...

Bitcoin carnage, Eth2 milestone, Libra launch, PayPal blunder: Hodler’s Digest, Nov. 21–27

Coming every Saturday, Hodler’s Digest will help you track every single important news story that happened this week. The best (and worst) quotes, adoption...

Bitcoin relief rally is underway — Can BTC price reclaim $18K?

Bitcoin (BTC) price dropped severely in the previous week, falling from $19,500 to $16,000. Corrections never occur smoothly as dropdowns are frequently sudden and...

Harvest Finance, a decentralized finance project that succeeded in attracting over $1 billion in funds locked has an admin key that gives its holders the ability to mint tokens at will and steal users’ funds.

As noted by auditing companies PeckShield and Haechi, the governance parameters are not set by a contract with clearly defined rules. An admin key, presumably held by the anonymous developers behind the project, could be used to arbitrarily mint new FARM tokens.

This power could allow the governance key holders to create an unlimited number of tokens and drain funds in the token’s Uniswap pool, which currently holds $12 million in USDC.

Harvest Finance is an automated yield management system, featuring vault-based strategies similar to Yearn Finance. Haechi highlighted that in addition to the minting mechanics, the governance key holder has the ability to change the vault functionality at will, which could be exploited by submitting a bogus strategy that simply sends the funds to an attacker-controlled address.

The holders of the governance key would thus have the theoretical possibility of stealing all of the $1.05 billion in assets committed to the protocol, in addition to the funds in the Uniswap pool.

Source: DeFi Pulse

In response to the audits, the team introduced a 12 hour time lock that should give enough advanced warning to users if any foul play is detected — but that requires constant community vigilance.

The project is currently running a classical yield farm similar to many of the “food coins.” Users can commit Ether (ETH), Wrapped Bitcoin (BTC) and other assets, but the highest FARM yield can be found by submitting FARM tokens themselves, without necessarily requiring the additional layer of abstraction of Uniswap pool tokens. Such a circular dependency is characteristic of many crypto Ponzi schemes.

The team is completely anonymous, though the project succeeded in attracting a relatively sizable community and has been involved in the community by doling out grants.

While nothing would suggest malicious intentions for now, the project is strongly centralized and prospective farmers should be aware that they are trusting an anonymous group of developers to resist the temptation to run off with their money, similarly to how the community initially trusted SushiSwap’s founder.