/>
X

Beanstalk DeFi project robbed of $182 million in flash loan attack

Reserves were drained after the attacker awarded themselves voting rights.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack.

It might seem more like a corporate heist than a typical cyberattack. Still, this security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project's liquidity pools.

On April 19, Beanstalk, a credit-based stablecoin protocol project based on Ethereum, said the platform was subject to a flash loan attack two days previously.

The cyberattack exploited the project's protocol governance mechanism. According to a post-mortem conducted by Omniscia, the exploit occurred due to the recent implementation of the Curve LP Silos, "ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds."

Flash loan functions in DeFi projects allow users to borrow large amounts of virtual funds for a short period of time. In Beanstalk Farm's case, voting powers were based on the amount of tokens held.

Omniscia says that after the attacker secured a flash loan -- and, therefore, extensive voting rights normally used to accept or decline changes in the protocol's code -- an emergency governance mechanism was abused to 'vote' for a malicious proposal and allow themselves to send funds to a wallet they controlled.

The flash loan was then repaid.

According to PeckShield, who first spotted the attack, total losses reached $182 million, with the attacker able to pocket roughly $80 million. Other losses were due to the fees required to execute the flash loan.

Stolen assets were then liquidated into Ethereum (ETH). Beanstalk says approximately $76 million in non-Beanstalk assets were stolen from liquidity pools.

Beanstalk was paused following the discovery of the attack, but this was not enough to prevent the theft or claw back the stolen funds.

Remaining BEANs in the exploiter contract have been burned.

In a tweet, Beanstalk offered the attacker 10% of the stolen funds as a bug bounty if they returned 90%.

screenshot-2022-04-21-at-13-36-34.png

Notably, the thief also appears to have sent $250,000 to the Ukrainian relief fund Ukraine Crypto Donation.

"Beanstalk Farms, the decentralized development team working on Beanstalk, is preparing a strategy to safely re-launch a more secure Beanstalk with a path forward," the project says.

There are several goals on the roadmap: attracting investment to restart Beanstalk; preserving "as much of each Farmers' Stalk, Seed, and Pod positions as possible," and "aligning new capital with previous Stalk and Pod holders."

"This eye-watering amount of money stolen will not only bite financially but in it will potentially chip away at the trust too," commented Jake Moore, Global Cyber Security Advisor at ESET. "Attackers are heavily targeting crypto finance systems due to the extremely high rewards whilst often leaving no remanence of evidence whatsoever."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

Nova Finance seeks to make DeFi accessible to every investor through automation and education
Abstract image of blockchain formed by binaries and network on a dark background.

Nova Finance seeks to make DeFi accessible to every investor through automation and education

Blockchain
Zero-knowledge proofs will play a major role in the future of Web3, DeFi and metaverse: Survey
gettyimages-1390644986.jpg

Zero-knowledge proofs will play a major role in the future of Web3, DeFi and metaverse: Survey

Web3
Samsung Wallet is now available, combines multiple services into one app
Access digital assets, Samsung Pay, Samsung Pass, and more in one app.

Samsung Wallet is now available, combines multiple services into one app

Banking