Harvest Finance explained via a thread of tweet, stating that the incidence reported earlier is originated with a large flash loan, and manipulated prices on one money lego (curve y pool) to drain another money lego (fUSDT, fUSDC), through many times. The attacker then converted the funds to renBTC and exited to BTC. Like other flash loan attacks, the attacker did not give time to respond, performing the attack in 7 minutes end to end. The attacker sent back $2,478,549.94 to the deployer in the form of USDT and USDC. This will be distributed to the affected depositors pro-rata using a snapshot, according to the tweets.