Beanstalk DeFi project robbed of $182 million in flash loan attack

Reserves were drained after the attacker awarded themselves voting rights.
Written by Charlie Osborne, Contributing Writer

Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack.

It might seem more like a corporate heist than a typical cyberattack. Still, this security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project's liquidity pools.

On April 19, Beanstalk, a credit-based stablecoin protocol project based on Ethereum, said the platform was subject to a flash loan attack two days previously.

The cyberattack exploited the project's protocol governance mechanism. According to a post-mortem conducted by Omniscia, the exploit occurred due to the recent implementation of the Curve LP Silos, "ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds."

Flash loan functions in DeFi projects allow users to borrow large amounts of virtual funds for a short period of time. In Beanstalk Farm's case, voting powers were based on the amount of tokens held.

Omniscia says that after the attacker secured a flash loan -- and, therefore, extensive voting rights normally used to accept or decline changes in the protocol's code -- an emergency governance mechanism was abused to 'vote' for a malicious proposal and allow themselves to send funds to a wallet they controlled.

The flash loan was then repaid.

According to PeckShield, who first spotted the attack, total losses reached $182 million, with the attacker able to pocket roughly $80 million. Other losses were due to the fees required to execute the flash loan.

Stolen assets were then liquidated into Ethereum (ETH). Beanstalk says approximately $76 million in non-Beanstalk assets were stolen from liquidity pools.

Beanstalk was paused following the discovery of the attack, but this was not enough to prevent the theft or claw back the stolen funds.

Remaining BEANs in the exploiter contract have been burned.

In a tweet, Beanstalk offered the attacker 10% of the stolen funds as a bug bounty if they returned 90%.


Notably, the thief also appears to have sent $250,000 to the Ukrainian relief fund Ukraine Crypto Donation.

"Beanstalk Farms, the decentralized development team working on Beanstalk, is preparing a strategy to safely re-launch a more secure Beanstalk with a path forward," the project says.

There are several goals on the roadmap: attracting investment to restart Beanstalk; preserving "as much of each Farmers' Stalk, Seed, and Pod positions as possible," and "aligning new capital with previous Stalk and Pod holders."

"This eye-watering amount of money stolen will not only bite financially but in it will potentially chip away at the trust too," commented Jake Moore, Global Cyber Security Advisor at ESET. "Attackers are heavily targeting crypto finance systems due to the extremely high rewards whilst often leaving no remanence of evidence whatsoever."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards