Harvest Finance, a decentralized finance project that succeeded in attracting over $1 billion in funds locked has an admin key that gives its holders the ability to mint tokens at will and steal users’ funds.
As noted by auditing companies PeckShield and Haechi, the governance parameters are not set by a contract with clearly defined rules. An admin key, presumably held by the anonymous developers behind the project, could be used to arbitrarily mint new FARM tokens.
This power could allow the governance key holders to create an unlimited number of tokens and drain funds in the token’s Uniswap pool, which currently holds $12 million in USDC.
Harvest Finance is an automated yield management system, featuring vault-based strategies similar to Yearn Finance. Haechi highlighted that in addition to the minting mechanics, the governance key holder has the ability to change the vault functionality at will, which could be exploited by submitting a bogus strategy that simply sends the funds to an attacker-controlled address.
The holders of the governance key would thus have the theoretical possibility of stealing all of the $1.05 billion in assets committed to the protocol, in addition to the funds in the Uniswap pool.
In response to the audits, the team introduced a 12 hour time lock that should give enough advanced warning to users if any foul play is detected — but that requires constant community vigilance.
The project is currently running a classical yield farm similar to many of the “food coins.” Users can commit Ether (ETH), Wrapped Bitcoin (BTC) and other assets, but the highest FARM yield can be found by submitting FARM tokens themselves, without necessarily requiring the additional layer of abstraction of Uniswap pool tokens. Such a circular dependency is characteristic of many crypto Ponzi schemes.
The team is completely anonymous, though the project succeeded in attracting a relatively sizable community and has been involved in the community by doling out grants.
While nothing would suggest malicious intentions for now, the project is strongly centralized and prospective farmers should be aware that they are trusting an anonymous group of developers to resist the temptation to run off with their money, similarly to how the community initially trusted SushiSwap’s founder.
This post first appeared here: https://cointelegraph.com/news/anonymous-devs-behind-a-defi-yield-farm-could-steal-1b-in-12-hours