Harvest Finance Places Bounty on Hacker

A decentralized finance (DeFi) protocol is offering a $100k reward for help in contacting its alleged cyber-attacker.

Reports emerged a week ago that Harvest Finance had allegedly been targeted by an unknown cyber-criminal who drained $24m in value from its pools in seven minutes. The malicious hacker allegedly cashed out the cryptocurrency into a virtual wallet via renBTC and Tornado. 

The anonymous team behind Harvest Finance said that the attacker had drained the pools by manipulating Stablecoin prices on Curve Finance, a DeFi protocol that interacts with Harvest Finance contracts.

Following the alleged attack, Harvest Finance tweeted: “We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.”

Bizarrely, the attacker returned about $2.5m to the deployer in the form of Tether (USDT) and USD Coin (USDC). 

Harvest Finance tweeted that the money that had been sent back "will be distributed to the affected depositors pro-rata using a snapshot."

Earlier today, Harvest Finance tweeted 10 BTC addresses used by the alleged hacker and asked major cryptocurrency exchanges, including Finance and Coinbase, to blacklist them. 

After claiming to have discovered some clues as to the alleged hacker's identity, the DeFi protocol then put a bounty out on them via Twitter.

The message posted earlier today via @harvest_finance read: "In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.

"We are putting out a 100k bounty for the first person or team to reach out to the attacker and help the attacker return the funds to the deployer address."

The protocol said it was not interested in taking any kind of revenge against the alleged hacker.

In an October 26 tweet apparently directed at their digital assailant, Harvest Finance wrote: "We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users."

What’s Hot on Infosecurity Magazine?