On October 26, 2020, Harvest Finance — a DeFi yield aggregator managing over $1 billion in assets — suffered a flash loan economic attack resulting in approximately $34 million in losses. The attacker took a flash loan of $50 million USDC and $50 million USDT from Uniswap, then used these to manipulate the stablecoin pricing in Curve Finance’s Y pool. Harvest Finance’s vault contracts used the Curve Y pool for price calculations. By temporarily depressing USDC prices via large swaps, the attacker could deposit USDC into Harvest vaults at artificially undervalued rates, then withdraw after restoring the price — profiting approximately $3–4 million per cycle. The attacker repeated this approximately 17 times within a single transaction, extracting approximately $34 million total before repaying the flash loan. The attack left Harvest Finance’s USDC and USDT vault depositors with about 13.8% less than they held before the attack. The attacker returned approximately $2.5 million to Harvest Finance’s deployer address in an apparent gesture. Harvest Finance subsequently improved its price oracle architecture to use time-weighted average prices (TWAP) resistant to flash loan manipulation. The attack was one of the first major flash loan economic exploits demonstrating that smart contract price oracle manipulation was a systemic DeFi vulnerability.