A new DeFi income farm features a manager key that can fully sweep $1 billion of assets, although this takes 12 hours.
Harvest Finance, a decentralized finance project (DeFi) that has managed to attract more than $1 billion in committed funds, has a manager key that gives its holders the ability to issue tokens at will and steal funds from users.
As noted by auditing firms PeckShield and Haechi and further highlighted by Chris Blec, a member of the DeFi community, governance parameters are not defined by a contract with clearly defined rules. An administrator key, presumably held by the anonymous developers behind the project, could be used to arbitrarily issue new FARM tokens.
This power could allow the holders of the governance key to create an unlimited number of tokens and drain funds into the Uniswap token pool, which currently holds $12 million in USD Coin (USDC).
Harvest Finance is an automated yield management system with vault based strategies similar to Yearn.finance. Haechi noted that in addition to the token issuance mechanics, the governance key holder has the ability to change treasury functionality at will, which could be exploited by sending a fake strategy that simply sends the funds to an address controlled by the attacker.
Holders of the governance key would thus have the theoretical possibility of stealing $1.05 billion in assets committed to the protocol in addition to Uniswap pool funds.
In response to the audits, the team introduced a 12-hour time block that should warn users sufficiently in advance if any malicious action is detected - but which requires constant community vigilance.
The project is currently running a classic income farm similar to many of the "food coins". Users can commit Ether, Wrapped Bitcoin Compass (WBTC) and other assets, but the highest FARM yield can be found by sending the FARM tokens themselves, without necessarily requiring the additional token abstraction layer of the Uniswap pool. This dependency is characteristic of many Ponzi schemes.
The team is completely anonymous, although the project has managed to attract a relatively large community and become involved in the community by distributing donations.
While nothing can suggest malicious intent for the time being, the project is strongly centralized and potential investors should be aware that they are relying on an anonymous group of developers to resist the temptation to run away with their money, just as the community initially trusted the founder of SushiSwap.