Harvest Finance is an automated yield farming protocol created for users looking to put their assets to work in high producing farming opportunities. Harvest will best appeal to those who can’t manage their decentralized finance (DeFi) positions 24/7 - which is most of us. 

If you’ve spent any time in DeFi, then you already know that manually moving funds around the various protocols takes time. Developing strategies and auditing positions takes time and the gas costs on the Ethereum network are high. 

Harvest Finance seeks to help with all of this by automatically searching out the newest DeFi platforms with the highest yield. It then optimizes yield with the latest farming techniques.

So, Harvest works best for those looking for a convenient way to harvest yield from the latest projects in DeFi. Hence the name, “Harvest.” To put funds to work in these high-yield farming opportunities, users just need to deposit supported tokens to get started.

As always, if you want some supplementary information regarding the DeFi field, you should go to Ivan on Tech Academy. The Academy, which is the best place for learning about cryptocurrency, blockchain and decentralized finance, has several DeFi courses for learning more. 

Harvest Finance - Inspired by Andre Cronje

The team at Harvest Finance cites Andre Cronje as inspiring their fledgling project. Cronje showed how much one developer could accomplish by first building a solution for himself. Thus, by following his lead, Harvest looked for the best solution for themselves first so that they could then transfer it to others. 

The FARM Token

FARM is Harvest’s governance token. And FARM token holders not only get to vote on the future direction of the protocol, but they also receive incentives to provide liquidity. Moreover, they get to participate in profit sharing from yield farming revenue. Cashflows come from Assets Under Management while protocol profits keep incentives aligned for users to hold a stake and govern. 

Harvest will cap the total supply of FARM tokens over the next four years at 690,420. And Liquidity Providers can deposit stablecoins, tokens, or pool tokens to earn their share of it. 

Users can either decide to swap their FARM tokens or use them to provide liquidity and earn fees. Capital will be distributed as follows: 30% of the yield farming revenue will go to those who stake FARM, while the remaining 70% will be returned to users who provide capital. 

Also, Harvest charges no additional fees for withdrawing or depositing assets. The protocol will, however, collect transaction fees from swaps. Harvest can use these funds for bug bounties, security audits, and also for new projects.

Why Use Harvest Finance?

The main reason to use Harvest Finance (or other protocols like it) is because the process of manual farming is too time-consuming for the average person. And even if you have the time, high gas prices can put most yield farming strategies out of reach for the average trader. 

However, by pooling funds together, Harvest can save on gas fees. And even with the recent slowdown, yield farming isn’t going to disappear. Nor is the likelihood of gas prices dropping anytime soon. So, Harvest Finance offers an easy and cost-effective way to participate in yield farming. 

Some Farming Strategies

Here is a timeline list of some of the farming strategies that have been evaluated and implemented by Harvest.

2020-09-01 - CRV farming support for DAI, USDC, USDT.

2020-09-05 - SWRV farming support for DAI, USDC, USDT.

2020-09-08 - CRV farming support for WBTC, renBTC, crvRenWBTC.

2020-09-17 - UNI farming support for ETH-DAI, ETH-USDC, ETH-USDT, ETH-WBTC.

2020-10-06 - CRV farming support for TUSD.

2020-10-13 - SUSHI farming support for WBTC-TBTC.

2020-10-20 - DEGO farming support for WETH.

2020-11-03 - Harvest adds PICKLE CRV farming support for 3CRV.

Furthermore, Harvest has recently added YCRV as a yield-bearing asset. And they claim this makes their platform the easiest place to earn yield from Curve.fi. They have also added 3CRV. Now users can earn three different assets with just one asset which saves on gas costs and the numerous steps it would take to farm this trade manually. 

Harvest Finance now boasts over 14 yield-bearing assets including these two new vaults. And they plan to add more assets over time. So, if you have a strategy you’d like Harvest to implement, you can send it to their Discord channel #farming-strategies.

How to Use Harvest Finance

To yield farm with Harvest Finance, visit their site at Harvest.Finance where you can deposit stablecoins, tokenized bitcoin, Uniswap LP tokens, and other supported assets. Once you’ve deposited you can start earning interest and FARM tokens. Just deposit FARM into the Profit Sharing mechanism if you want to participate in the farming revenue.

What are fTokens?

Tokens with an “f” in front of them like fDAI, fUSDC, fWBTC are simply the yield-bearing versions of these popular, underlying assets. These tokens automatically appreciate and can be redeemed at any time for their underlying value in DAI, USDC, WBTC.

In this example we will demonstrate how to use Harvest with the USDC token:

  1. Buy USDC on an exchange.
  2. Transfer it to your MetaMask wallet.
  3. Navigate to Harvest.Finance and connect your wallet.
  4. Find USDC and verify the APY you will earn.
  5. Enter a specific amount to deposit or click “Max.”
  6. Deposit your USDC tokens.
  7. Receive fUSDC tokens in exchange.
  8. Start earning interest.
  9. Hopefully your balance will grow but beware of Impermanent Loss. 
  10. To stake your fUSDC to earn FARM tokens, do the following:
  11. a) Enter an amount or choose Max.
  12. b) Click “Stake” near the bottom of the page.

When your wallet approves the transaction you’re done.

How to Unwrap Your Tokens

Before you can unwrap fTokens like fDAI, fUSDC, and fUSDT, back to their underlying assets, DAI, USDC, and USDT, you must first withdraw from the staking rewards contracts.

  1. Put your balance of fTokens in your wallet.
  2. Navigate to https://harvest.finance/earn and connect your wallet.
  3. Click on the “Unstake & Claim” button to initiate the transaction.
  4. Wait for confirmation.
  5. Receive your fToken and FARM rewards.

Harvest Smart Contracts and Audits

Harvest smart contracts are open source and are designed from the ground up. They are not forks of existing contracts. Harvest has made the effort to reassure its users that their smart contracts have undergone extensive test coverage. And Haechi Labs and Peckshield conduct their security audits. The team also states that additional audits are in progress. 

Moralis Money
Stay ahead of the markets with real-time, on-chain data insights. Inform your trades with true market alpha!

However, they still advise users to personally review the smart contracts before depositing funds. That’s because all DeFi protocols have an element of risk.

Although it is impossible to entirely eliminate risk when dealing with financial concepts, a great way to reduce the risk is through education. Ivan on Tech Academy allows you to educate yourself regarding DeFi and all things crypto. Join over 20,000 already enrolled students, and use our exclusive promo code BLOG20 to get 20% off when joining the academy!

Risks of Using Harvest Finance

Harvest has similar risks to other DeFi protocols. These include such things as smart contract bugs, stablecoins becoming unpegged, and correlation risks. If one prominent block fails, it could cause others to tumble.

But the two immediate risks that Harvest users face is that of impermanent loss and what could be called the “Whale Factor.” You can learn more about impermanent loss in our DeFi Encyclopedia.

As far as the Whale Factor goes, Whales are the big traders who can move markets in a single bound with their large trades. Whale movements pose a bigger risk to protocols like Harvest because their large investments and withdrawals can significantly alter the APY associated with the rewards. 

And this, unfortunately, leads us to the next topic related to risk—the recent Harvest hack.

The Harvest Finance Hack

On October 26, 2020, an attacker exploited an arbitrage and impermanent loss mechanism that affects the assets inside Curve’s yPool. The attack was quick and devastating like a Great White Shark hit. The hack only took seven minutes from start to finish.

Specifically, the hacker utilized a flash loan to manipulate the value of Harvest’s USDC and USDT vaults deposited in Curve.fi. The attacker knew that the assets deposited in these pools are subject to market forces such as arbitrage, impermanent loss, and slippage. He also knew that large market trades can move the prices of these assets.

So, the short version of this exploit is that the hacker helped himself to $34 million from the Harvest Finance vaults. And the exploit caused their FARM token to immediately plummet.

Flash Loan Attack

The vaults invested their holdings in Curve’s yPool. The flash loans drove down the price of USDC and USDT allowing the hacker to purchase them far below market value. So, the attacker repeatedly exploited the impermanent loss factor by manipulating the asset value and was able to exit with profits. With the excess funds, the attacker could pay back the flash loan and keep the profits.

DeFi’s Growing Pains 

The longer version of this hacking story is a bit more complex. But the exploit adds to a long list of growing pains suffered in the DeFi space. DeFi is still in its infancy. And although security holes are constantly being buttoned up, exploits are also getting more sophisticated. 

$34m is nothing to sneeze at. And once the team realized an attack was underway, they tried to thwart it. The team immediately withdrew all the funds from the shared pools to a secure vault. They also blocked deposits to the stablecoin and BTC vault. 

As the fallout continued, Harvest also published the BTC addresses where the stolen funds were stored. They then asked the major exchanges to blacklist these addresses.

After they stopped the bleeding, Harvest put a $100k bounty on the hacker’s head. Furthermore, they promised to up the ante to $400k if the funds were returned within 36 hours. Harvest then used both a carrot and a stick to try to get the hacker to return the stolen funds:

1. Appeal to the ego and sense of community. 

A good salesman knows that you have to ask for the sale to be successful. And Harvest appealed directly to the attacker to return the funds by tweeting out the following: 

“For the attacker: you’ve proven your point, if you can return the funds to the users, it would be greatly appreciated by the community, including many bystanders watching DeFi from afar.”

This appeal could work if the hacker’s motive was to receive acknowledgment of his superior skills. However, if the motive was purely monetary, then it’s doubtful that acknowledging his skills will have any effect. 

The same goes for appealing to the attacker’s sense of community to humanize the losses. If the hacker’s motive was purely financial gain, then he won’t care about the Harvest community nor the “bystanders watching DeFi from afar.”

2. Veiled Threats.

Harvest also tweeted: “There is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.” 

By claiming that they know the hacker’s identity, or that they’re close to identifying him, Harvest hopes to rattle the attacker’s nerves. If the attacker gets paranoid about being doxxed, he might return the stolen funds to call the dogs off.

Also, by offering the $100k reward, Harvest can tempt someone who knows the hacker to turn him in. The reward might especially motivate a crypto bloodhound to trace the money trail to its logical conclusion. 

Furthermore, Harvest asked that no one dox the attacker in their search as they feared it might prevent the users from getting their funds back.

Next Steps

The Harvest Finance team took responsibility for the engineering error and is promising to take the appropriate actions to prevent such attacks in the future. They are reassessing security measures within the context of this new attack.

Harvest also promised to release a post-mortem report and to work on mitigation strategies to stop this kind of flash loan attack. And they are looking into insurance options and reparation strategies. Specifically, a new yCRV vault is open for deposits with the flash loan attack vector mitigated so it can no longer be used. 


With so much money flowing back-and-forth between these DeFi protocols, there will always be smart-contract savvy hackers lurking about in search of an exploit. All it takes is for one little, unnoticed error to slip past and BOOM - easy money for the attacker. Smart contract security will have to evolve as quickly as those writing the exploits in this never-ending game of cat and mouse.

Do you want to learn how to code smart contracts? How about smart contract security? To learn all about blockchain development, make sure to visit Ivan on Tech Academy today!

Author: MindFrac