Beanstalk, a credit-focused stablecoin protocol built on the Ethereum blockchain, was exploited Sunday morning for all of its collateral from a security breach caused by two sinister governance proposals and a flash loan attack. This exploit saw the protocol lose about $182 million in various cryptocurrencies according to blockchain security firm, PeckShield.
In a Twitter trend, PeckShield stated, “The BeanstalkFarms was exploited in a flurry of txs leading to the gain of $80 million + for the hacker (The protocol loss may be larger), including 24,830 ETH and 36 million BEAN.”
PeckShield further stated, “Our initial analysis shows the @BeanstalkFarms loss is $182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN.”
How it happened
The issue started when the protocol was seeded by suspicious governance proposals, BIP-18 and BIP-19, issued on the 16th of April by the exploiter, who asked for the protocol to donate funds to Ukraine. Unaware of the protocol, those proposals had a malicious rider attached to them which ultimately created the sinkhole of funds from the protocol according to smart contract auditor BlockSec.
The exploiter took out a $1 billion flash loan from the AAVE (AAVE) protocol denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. The attacker then used the funds to accumulate enough assets to take over 67% of the protocol’s governance and approve their own proposals.
Flash loans must be executed and repaid within a single block and usually calls on several smart contracts at once to complete. Flash loans have been used in the past to perform hacks or security exploits of other protocols.
This case was technically not a hack as the smart contract and governance procedures functioned as designed. The hacker took advantage of the flaws that existed in the design of the platform. Project spokesperson “Publius” acknowledged that the platform design was ultimately the cause of its own demise in a meeting today when he said, “It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
What you should know
- According to PeckShield, the exploiter has already made off with roughly $80 million in Ether (ETH) and Beans (BEAN) while the entire protocol lost its $182 million in total value locked (TVL). The remainder of the exploited funds are in the form of drained liquidity connected to the protocol’s governance token.
- The fund was funnelled through a popular privacy platform, Tornado Cash, which is known to be a cryptocurrency mixer protocol allowing private transactions. This is the same platform the hacker of the $625 million Axie Infinity network used to funnel part of its funds.
What they are saying
- PeckShield stated, “The @BeanstalkFarms protocol loss is $182m and the hacker nets $80m. The rest $100m goes to various protocols as fees to pay flashloan and swap.” The platform went further to ask, “Should these protocols (incl. @AaveAave @SushiSwap @CurveFinance @Uniswap @BeanstalkFarms) return these fees back to @BeanstalkFarms?”
- Beanstalk has acknowledged the hack and tweeted, “We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well.”
- The team stated it has reached out to the Federal Bureau of Investigation (FBI) Crime Center and would “fully cooperate with them to track down the perpetrators and recover funds.”
- The protocol’s smart contracts have been paused and all governance privileges have been revoked by the team.
- The hacker also sent $250,000 worth of USDC to the Ukraine Crypto Donation wallet.
BEAN is currently down about 83% trading at $0.17 according to CoinGecko but troughed at $0.06 when the exploiter dumped their tokens. Publius wrote that the project is likely lost since there is no venture capital backing to recoup losses.