ID:
harvest-finance-1120
100 pts
Platform:
Type:
Category:
Method:
Data Sources:
Ethereum
Protocol
Yield Aggregator
Contract Vulnerabilities
Extended Method:
Withdraw logic error
Days in Operation:
769
(2.11 Years)
100 pts each
At around 06:00 UTC on Friday September 18th 2020, users in the Harvest Finance Discord chat began reporting problems with fWETH withdrawals.
At the time of the incident, the fWETH vault was using a farming strategy that earned interest for depositors by deposited the underlying WETH onto the CREAM platform for lending. CREAM lending is based on a fork of the Compound lending codebase.
When an fWETH withdrawal is processed, the underlying WETH should be removed from CREAM and returned to the claimant, and the interest-bearing fWETH deposit receipt should be burned. In the faulty transactions, the deposit receipt was burned, but only some or even none of the requested WETH was withdrawn from CREAM and returned to the user. Approximately 5% of the fWETH supply held by 11 owners attempted to withdraw and was affected by this bug.
Incident was resolved and funds were returned to locked users.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.