Hunting Harvest's Admin Key
The steps I took to research Harvest Finance's security holes
This is my first post on Surviving DeFi. I’m making it free to all users. If you’d like to get future posts & exclusive audio podcasts, sign up for a 30-day free trial!
DeFi moves too fast for any one person to keep up with. Even me.
But that doesn’t mean we can’t try to stay safe. And we don’t have to be developers to do that.
In this post, I’ll share the mental steps that I took to discover that Harvest Finance has a very dangerous admin key situation which jeopardizes users’ funds - a fact that ultimately became a newsworthy surprise to the greater DeFi community.
My hope is that by sharing the steps I took here, that you’ll be able to use them in similar situations on your own to evaluate centralization risk. You do not need to be a developer to do this.
Just yesterday, I took a look at DeFi Pulse and realized that I didn’t know much about #4 on the list. Harvest Finance had surpassed $1 billion in locked value and I still hadn’t really taken a look at the project.
The first time I had heard of Harvest Finance was when they contributed $50,000 to a number of Gitcoin Grants participants. Following this announcement, I did notice some more chatter and buzz around the Harvest product and the $FARM token. Mission accomplished, I suppose.
Two days ago, I notice a tweet about breaking $1 billion in value locked. Spidey senses activated.
Upon seeing this, I made a mental note to check them out. They are one of many yield farming schemes out there, and I haven’t had the time to look at every single one, but breaking $1 billion puts anyone on my radar.
When I did that quick glance at DeFi Pulse and saw them at #4, I decided to take a few moments to dig in.
My first stop was looking at their website. This wasn’t too difficult to find, as it’s linked right on their Twitter profile.
So, over to harvest.finance I headed! First, I tried to figure out what exactly was going on. It’s a typical yield farming shitshow UI - very difficult to find your way around, probably by design. After clicking around for a while and finding that they were accepting deposits of multiple tokens, including Uniswap LP tokens, I started wondering how decentralized the project actually is.
This part is actually very important, because not enough DeFi users do it. Any time a smart contract accepts a deposit, it’s critical that the first questions you ask are “How decentralized is this product? How are the funds being held? Is there an admin key? If yes, what can it do?”
Once those questions are in your head, you need to get an answer before you make a deposit. If you make a deposit without having that answer, you are simply gambling.
I started clicking around on their FAQ and Wiki tabs until I found some clues. First, I saw a section called “Technical Stuff” that mentioned a timelock.
As you can see, there’s nothing else mentioned in the “Technical Stuff” about an admin key. However, a timelock would not be necessary if there was not some kind of key.
What is a timelock? A timelock is a type of smart contract that adds a delay to any transaction that is called by an Ethereum (admin) key. Before adding a timelock, the owner of an admin key can call any transaction - whether it’s good or bad for users - and execute it immediately. After adding a timelock, a forced delay is added to the admin key transaction getting executed, with the intention of giving users time to examine the transaction and get their funds out if they don’t like what they see.
So when I saw the mention of a timelock, and no other mention of an admin key or what it could do, I knew I had to dig deeper.
Further down on their Wiki page, I found a section called “Harvest Security”. Usually, when you see a page on a DeFi product website called “Security”, you’re bound to find some audit reports. And I did.
Harvest Finance does offer up two audit reports on their website. Both audits were completed in September - just one month ago. Both are by reputable firms - Peckshield and Haechi Labs.
First, I clicked on the link for the Peckshield Audit. I saw this.
Uh oh. That’s not good.
It only took me about 3 seconds to notice that the URL was incorrectly coded on the site and that everything before “https://github.com…” should just be deleted.
Before we continue, let me ask you - as a non-developer, would you have stopped here and given up? Or would you have taken that moment to look at the URL and try to figure out what’s wrong?
I don’t know if this was an honest mistake by the Harvest team or an intentional way to keep people from looking at the audit reports (since the error was made on both audit report links). However, I do know that it’s important that users are diligent in finding the info that they need to make an informed decision - even if it’s hidden away!
So, I modified the URL and got the actual Peckshield audit report, linked here for your reference.
That looks intimidating, doesn’t it?
Well, it doesn’t have to be. You don’t need to be a developer to be able to look at audit reports and get some very important clues about a smart contract system.
The first thing I do when I open an audit report is search for mentions of an admin key or “governance”.
I only had to scroll for a few seconds before I found this in the Table of Contents.
Well, that doesn’t sound good, does it? Let’s check it out. On to page 42.
Does this make your eyes glaze over? Is this the part where you start to zone out? Don’t let that happen to you. As I said, you do not have to be a rocket scientist developer to be able to make sense out of this information. And this is the information that can literally save your life.
As you can see, Peckshield used plain English to make it clear to the reader that the governance responsibilities of this project are highly centralized and pretty precarious.
“[Governance] is currently controlled by an externally owned account (EOA), which raises necessary concerns from the community.”
Did you see that part? If you stopped reading the audit here and did no further digging, you could understand by this statement that the governance functions of Harvest Finance are assigned to a single Ethereum account. Not a DAO, not a multisig, but one single Ethereum account. It could be on Metamask. It could be on a Ledger Nano S. We simply don’t know where it exists. This is the nature of an EOA. It’s just a basic Ethereum address.
Scrolling down a bit more in the audit, we see a table that outlines all of the different liquidity pools available to Harvest users, and the assigned governance address for each. They are all the same EOA. What is Peckshield trying to tell us?
When reading audit reports, it’s critical to remember that the DeFi project they are auditing is typically paying them for the audit. Sugarcoating should be expected. When you see items like this table included in an audit report, it’s Peckshield trying to signal to you that there are some very real dangers without actually saying it. They want to be as honest as they can without totally pissing off their client.
Next, I looked at the Haechi Labs audit, linked here for your convenience.
I scanned the Table of Contents again and saw this juicy nugget.
Oh dear. That’s not good. Let’s take a closer look.
This is the part where you’re supposed to start visualizing the $1 billion that is held in these smart contracts which could be emptied out at any time into the dev’s wallet.
Admin keys are not a new phenomenon to DeFi, and Harvest Finance isn’t the only project that uses one. But $1 billion is an awful lot of money to have complete and total control over.
So the next question I asked myself was “Who holds this very powerful admin key? Let’s talk to that person.”
I went back over to Harvest Finance’s website and their Wiki page. I found a section called “Common Questions” which gave me my answer - kinda.
Oh, no. No no no. For the love of God. Please do not tell me that $1.1 billion is sitting in smart contracts that can be drained with an admin key held by one anonymous developer.
God: Sorry Chris, it’s true.
Damn.
This is when it struck me that we have a serious potential problem on our hands. An admin key responsible for $1 billion is bad enough, but the fact that it’s in the hands of an unknown individual in an unknown country with unknown reputation takes this to a whole other level.
Let’s tell the world.
As you can see, I did learn that since the audit reports were complete, the Harvest anon devs added the timelock that was mentioned earlier. It’s a 12 hour timelock - not nearly long enough to provide any kind of safety to users. For this to be valuable, you would need to somehow hear about a malicious transaction the moment it hits the blockchain and be able to withdraw your funds within 12 hours thereafter.
The only way this could happen is if someone honest were monitoring the timelock, and you were on their email list, and you were near your computer so you could empty out your funds. Are you? Probably not.
After finding out this info, a logical next step is to try to get more info from the Harvest Finance community and developers. That didn’t go so well. I was harassed out of the Discord for asking who holds the admin key. The Harvest Finance team banned me from their Discord and also blocked me on Twitter.
Now, not only do I know that the funds held in Harvest Finance are in a very dangerous and insecure situation, but I also know that their anonymous developers are resistant to questions and attack any skepticism. Not a good mix.
For now, Harvest Finance is a DeFi product to be avoided at all costs.
Could this change in the future? Yes. If the anonymous devs one day sufficiently decentralize the functions that are currently assigned to the admin key, then it may be worth taking another look at.
But until then? We have all the info we need to know that this is an untouchable DeFi product.
Apply these steps to every DeFi product that you are curiou about, and you will be able to survive DeFi as a non-developer. Good luck out there!
Enjoy this post? Subscribe for more! Your first 30 days are free.