Harvest Finance
A yield-farming protocol exploited on October 26, 2020 in a flash-loan attack that manipulated Curve pool prices to drain its USDC and USDT vaults. Estimates ranged from ~$24M to ~$33.8M; the attacker returned about $2.5M.
Also known as: Harvest Finance, FARM
Summary
Harvest Finance was a yield-aggregation ("robo-advisor") DeFi protocol. On October 26, 2020, an attacker used Uniswap flash loans to repeatedly skew the prices of USDT and USDC inside a Curve pool that Harvest used to value its vault shares, buying and redeeming shares at manipulated rates to drain the protocol's stablecoin vaults. [1][2]
Scale
Initial estimates of about $24 million were later revised by the team to roughly $33.8 million; the attacker returned about $2.5 million. The exploit, executed in a few minutes, crashed the protocol's FARM token; Harvest published a post-mortem calling it an "engineering error" and offered a bounty for the funds' return. [1][2]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
Sources (2)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.