link.png

ID:

harvest-finance-1120

Date:

Status:

Incident Count:

September 18, 2020

Verified

3

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Least Authority, Haechi, Peckshield, Certik

Loss Amount:

-

info.png

Recovered:

-

Rewards:

Currency:

USD, fWETH

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Protocol

Yield Aggregator

Contract Vulnerabilities

Extended Method:

Withdraw logic error

info.png

Days in Operation:

769

(2.11 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

At around 06:00 UTC on Friday September 18th 2020, users in the Harvest Finance Discord chat began reporting problems with fWETH withdrawals.
At the time of the incident, the fWETH vault was using a farming strategy that earned interest for depositors by deposited the underlying WETH onto the CREAM platform for lending. CREAM lending is based on a fork of the Compound lending codebase.
When an fWETH withdrawal is processed, the underlying WETH should be removed from CREAM and returned to the claimant, and the interest-bearing fWETH deposit receipt should be burned. In the faulty transactions, the deposit receipt was burned, but only some or even none of the requested WETH was withdrawn from CREAM and returned to the user. Approximately 5% of the fWETH supply held by 11 owners attempted to withdraw and was affected by this bug.

Incident was resolved and funds were returned to locked users.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.