Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/harvest-finance

Name: harvest-finance
Author: apegurus

skills/case-studies/harvest-finance/SKILL.md

npx skillsauth add apegurus/solidity-argus harvest-finance

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Harvest Finance (2020)

Overview

In October 2020, Harvest Finance was exploited for approximately $34 million. The attacker used flash loans to manipulate the price of stablecoins (USDC and USDT) within Curve Finance pools, which Harvest used to calculate the value of its vault shares.

Root Cause

Harvest Finance vaults calculated the value of their shares based on the "virtual price" of assets in Curve pools. By using a flash loan to execute a massive swap in a Curve pool, the attacker could temporarily depress the price of an asset. They then deposited that asset into Harvest at the depressed price, swapped back in Curve to restore the price, and withdrew from Harvest at the higher price.

Attack Flow

Attacker took a flash loan of 50M USDC and 17.3M USDT from Uniswap V2.
Attacker swapped 11.4M USDC for USDT on Curve's Y pool, pushing down the USDC price.
Attacker deposited 60.6M USDC into the Harvest fUSDC vault. Because the USDC price was manipulated downwards, the attacker received more fUSDC shares than they should have.
Attacker swapped the USDT back for USDC on Curve, restoring the price.
Attacker withdrew USDC from the Harvest vault. Since the price was now higher, their shares were worth more USDC than they deposited.
Attacker repeated this process multiple times.
Attacker repaid the flash loan and walked away with the profit.

Impact

Loss: ~$34M
Protocol: Harvest Finance
Chain: Ethereum
Date: 2020-10-26

Key Transactions

Attack tx: 0x35f8d2f572fceaac9288e5632737885a062dd0c8587ce9044329942b694a9974

Detection Heuristics

Pattern 1: Calculating share value or collateral value based on instantaneous on-chain prices from a single pool.
Pattern 2: Lack of slippage protection or "sanity checks" against a more robust oracle when depositing or withdrawing from vaults.

Remediation

Fix 1: Use a decentralized oracle (like Chainlink) or a TWAP for asset valuation.
Fix 2: Implement a "slippage" or "premium" check that prevents deposits/withdrawals when the pool price deviates significantly from the oracle price.

References

rekt.news/harvest-finance-rekt/
medium.com/harvest-finance/harvest-flashloan-economic-attack-post-mortem-3cf900d65bc6

apegurus/harvest-finance

skills/case-studies/harvest-finance/SKILL.md

Case study of the 2020 Harvest Finance exploit: flash loan + price manipulation draining ~$34M

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus harvest-finance

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:20 AM146.6s1 file scanned

SKILL.md

name:: harvest-finance
description:: Detects usage of share price functions which can be manipulated by large trades in underlying pools.
category:: reference
source_url:: https://rekt.news/harvest-finance-rekt/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: getPricePerFullShare
severity:: Medium

Harvest Finance (2020)

Overview

Root Cause

Attack Flow

Attacker took a flash loan of 50M USDC and 17.3M USDT from Uniswap V2.
Attacker swapped 11.4M USDC for USDT on Curve's Y pool, pushing down the USDC price.
Attacker deposited 60.6M USDC into the Harvest fUSDC vault. Because the USDC price was manipulated downwards, the attacker received more fUSDC shares than they should have.
Attacker swapped the USDT back for USDC on Curve, restoring the price.
Attacker withdrew USDC from the Harvest vault. Since the price was now higher, their shares were worth more USDC than they deposited.
Attacker repeated this process multiple times.
Attacker repaid the flash loan and walked away with the profit.

Impact

Loss: ~$34M
Protocol: Harvest Finance
Chain: Ethereum
Date: 2020-10-26

Key Transactions

Attack tx: 0x35f8d2f572fceaac9288e5632737885a062dd0c8587ce9044329942b694a9974

Detection Heuristics

Pattern 1: Calculating share value or collateral value based on instantaneous on-chain prices from a single pool.
Pattern 2: Lack of slippage protection or "sanity checks" against a more robust oracle when depositing or withdrawing from vaults.

Remediation

Fix 1: Use a decentralized oracle (like Chainlink) or a TWAP for asset valuation.
Fix 2: Implement a "slippage" or "premium" check that prevents deposits/withdrawals when the pool price deviates significantly from the oracle price.

References

rekt.news/harvest-finance-rekt/
medium.com/harvest-finance/harvest-flashloan-economic-attack-post-mortem-3cf900d65bc6

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/harvest-finance ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT