fWETH Withdraw Failure Sept 18 2020

This summary was prepared by user Silage Pete and has not been reviewed for accuracy or completeness by the Harvest team.

At around 06:00 UTC on Friday September 18th 2020, users in the Harvest Finance Discord chat began reporting problems with fWETH withdrawals.

At the time of the incident, the fWETH vault was using a farming strategy that earned interest for depositors by deposited the underlying WETH onto the CREAM platform for lending. CREAM lending is based on a fork of the Compound lending codebase.

When an fWETH withdrawal is processed, the underlying WETH should be removed from CREAM and returned to the claimant, and the interest-bearing fWETH deposit receipt should be burned. In the faulty transactions, the deposit receipt was burned, but only some or even none of the requested WETH was withdrawn from CREAM and returned to the user:

CREAM, like Compound, cannot always guarantee that withdrawals of any size can be honored at any time. As a result, large withdrawals may result in partial or no return of funds and the error message TOKEN_INSUFFICIENT_CASH. Due to an oversight, the Harvest strategy contract failed to check for this error and would burn the user's fWETH even if only some or none of the requested WETH was returned.

When the issue was understood, Harvest community wiki managers BIBI CAT, Silage Pete, and several other Harvest Discord moderators and helpful users notified the Harvest development team of the problem and alerted everyone in Discord that they should not attempt any more WETH withdrawals until the issue was fixed. Notices to avoid withdrawals were placed in Discord and the wiki.

At 07:00 UTC, around 1 hour after the incident was reported, contributor Byron McKeeby submitted a pull request to the WETH strategy repository attempting to fix this bug. This PR would not recover the WETH for those who had failed to withdraw, but it proposed an approach for avoiding the failed withdrawal problem in future strategy deployments.

Approximately 5% of the fWETH supply held by 11 owners attempted to withdraw and was affected by this bug. When a withdrawal failed, ownership of the WETH in CREAM that failed to be withdrawn was transferred to the remaining shareholders in the fWETH pool and causing the fWETH share price to increase.

Around 14:00 UTC, Discord administrator and development team member Bread for the People posted in Discord to announce that the problem was being worked on:

Withdrawals for WETH are currently disabled due to a lack of ETH inside Cream lending. We are working with CREAM and are actively working to resolve the issue. Safe withdrawals of WETH will be enabled soon. We would like to take responsibility and to thank Andre Cronje and the CREAM team for actively assisting with the fix.

Around 16:00 UTC, Bread for the People announced that the Harvest and CREAM teams had a plan to restore the funds:

Working together with the CREAM team, we have a plan to restore peace and harmony to the WETH Farm. Users do not need to do anything, the strategy will be updated with the fix. After that, all values will be double-checked, and then withdrawals will be re-enabled.

Around 17:00 UTC, Bread for the People announced that the WETH had been recovered:

Update: crWETH from the CREAM strategy has been successfully redeemed to WETH. Users do not need to do anything, all values will be double-checked once the strategy is updated with the fix, and then withdrawals will be re-enabled.

Around 19:00 UTC, Bread for the People announced that the incident was resolved:

Peace and harmony has been restored to the WETH Farm. fWETH balances have been restored. Withdrawals have been re-enabled. All WETH Farm participants are in profit. Thanks to the excellent Cream team and the prolific Andre Cronje for helping out.

Recovery transactions:

PreviousfUSDC/fUSDT Economic Attack Oct 26 2020 NextHow to deposit and stake

Last updated 8 months ago