The anonymous developers of Harvest Finance could steal one billion dollars in 12 hours


Those who invest in Harvest Finance must really have a lot of confidence in the development team of this DeFi protocol

Harvest Finance, a DeFi protocol that has managed to attract over $1 billion of funds, has an admin key that gives its holders the ability to issue tokens at will and steal user funds.

As pointed out by the auditing firms PeckShield and Haechi, as well as Chris Blec, member of the DeFi community, the governance parameters are not set by a contract with clearly defined rules. An admin key, presumably held by the anonymous developers of the project, could be used to arbitrarily release new FARM tokens: this would allow developers to create an unlimited number of tokens and thus drain funds into the Uniswap pool of the token, which currently holds $12 million denominated in USD Coin (USDC).

Harvest Finance is an automatic vault based yield management system very similar to Yearn.finance. Haechi pointed out that, in addition to the mechanics of issuance, the holder of the governance key also has the ability to modify the vault functionality at will. This function could be exploited by criminals simply by sending the funds to another address controlled by criminals.

Holders of the governance key would then have the ability to steal all of the $1.05 billion of assets invested in the protocol, in addition to the Uniswap pool funds.

In response to the criticism, the team has introduced a 12-hour blockade to give users ample notice in case someone attempts an attack, but this requires constant vigilance over the protocol by the community.

The project is currently running a classic yield farm, similar to many food co-ins. Users can invest Ether (ETH), Wrapped Bitcoin Freedom (WBTC) and other assets, but the highest FARM yield is achieved through the FARM tokens themselves. Such a circular dependency is characteristic of many Ponzi schemes in the crypto world.

The team is completely anonymous, although the project has managed to attract a relatively large following and has been involved in the community by distributing grants.

Although no hostile acts have been recorded so far, the project is highly centralized and potential farmers should be aware of the situation they are in: by entrusting their money to an anonymous group of developers, they place their trust that they will resist the temptation to run away with their money, similar to what actually happened with the SushiSwap creator.