Not too long after he dropped out of college to pursue a career in cryptos, Ben Weintraub was served with some bad news. Mr. Weintraub and two colleagues from the University of Chicago spent several months working on a software platform dubbed Beanstalk. This project offered a stablecoin with a fixed value of $1.
Surprisingly, Beanstalk became an overnight sensation bringing on board many crypto speculators who saw it as an exciting contribution to the experimental DeFi sector. Then it collapsed. In April 2022, a hacker found and exploited a defect in Beanstalk’s design. They stole at least $180 million from unsuspecting users.
The crypto industry is on edge after a series of hacks. Over $2 billion in digital currency has been lost to hackers in 2022 alone, shaking the belief in the experimental sector of decentralized finance (DeFi).
On the morning of the Beanstalk hack, Mr. Weintraub, 24, was home for Passover in Montclair, N.J. he told his parents:
“Wake up, Beanstalk is dead.”
Cybercriminals have terrorized the crypto sector for many years now. In the process, they have stolen bitcoin and other cryptos from online wallets and raided the exchanges where investors sell and buy digital currencies. However, the speedy explosion of DeFi startups like Beanstalk has resulted in a new form of threat.
The barely regulated ventures let people lend, borrow and execute other transactions without brokers or banks. These transactions wholly rely on a system that is governed by code. Using Decentralized finance software, investors can get loans without undergoing a credit check or revealing their identities.
DeFi Protocols Vulnerable Due To Faulty Codes
As the market surged in 2021, the budding industry was welcomed as the future of finance. It would act as a democratic alternative to Wall Street that would offer amateur traders access to lots of capital. Crypto users entrusted roughly $100 billion in virtual currency to hundreds of DeFi protocols and projects.
Some of the software was built using faulty code. In 2022, $2.2 billion in crypto has been stolen from decentralized finance projects, based on the crypto tracking company Chainalysis, putting the entire industry on pace for its worst year of hacking losses.
Most of these thefts have come from flaws in the computer programs – called smart contracts – that power decentralized finance. The programs are mostly built quickly. Since smart contracts use open-source code that offers a publicly viewable map of the software, hackers have managed to set up attacks on the digital network itself, instead of just infiltrating someone’s account.
It is the difference between robbing a person and emptying a whole bank vault. The vice president of investigations at Chainalysis, Erin Plante, stated:
“DeFi has introduced a whole other level for hackers to be able to access a platform. It’s putting a lot of pressure on the space and restricting the innovation that’s possible.”
The breaches seem to have shaken faith in decentralized finance during a hard period for the crypto sector. An epic crash this spring wiped out almost $1 trillion and forced many high-profile firms into bankruptcy.
In August, thieves exploited a coding issue to drain $190 million from a firm named Nomad. In the past week, the crypto company Wintermute stated that its DeFi department had been attacked, resulting in a loss of $160 million.
Tracking the movement of these stolen crypto funds is easy. Transactions are recorded on public ledgers known as blockchains, which anybody can analyze to find the patterns. However, it is considerably challenging to regain access to the lost funds.
These hacks have prompted most DeFi startups to explore different preventive measures, recruiting auditors to examine their code for any possible vulnerabilities. Even as the types of crypto companies cut costs in the winter, auditing and security firms have seen a major surge in business.
Goncalo Sa, one of the founders of ConsenSys Diligence, which conducts code audits, said:
“This year was a good year for attackers. That has ingrained in the minds of people that security is something that they should take seriously.”
From crypto’s inception, firms appear to have struggled with security. In 2014, the first massive Bitcoin exchange, Mt. Gox, was breached in a damaging attack. This attack eventually led to the firm’s bankruptcy and the loss of billions of dollars in digital currency.
At the time, the sector was considerably small and uncomplicated. Now the hackers can attack a bigger ecosystem, including an experimental economy of cryptocurrency-based video games, decentralized lending projects, and newfangled coins. In 2021, a hacker stole $600 million from the DeFi platform Poly Network. The hacker eventually returned that money after extensive negotiations with the project’s leaders.
2022’s hacks have resulted in a lot of damage. In March this year, a group that was sponsored by the North Korean government stole $620 million in digital currency from the Ronin Network, a decentralized finance platform that mainly powers the video game Axie Infinity. At the same time, a hacker exploited a software vulnerability in a DeFi project known as Wormhole to abscond with $320 million.
A former FBI agent now running the cybersecurity firm NAXO, Chris Tarbell, said:
“Many people are putting up platforms with a known vulnerability. In a target-rich environment, criminals are going to be opportunistic.”
The Wormhole attack exploited vulnerabilities existing in a novel element of crypto technology called a cross-chain bridge. The bridge lets investors switch back and forth between digital currencies developed on separate blockchains.
Some DeFi platforms facilitate conversions to help people capitalize on trading opportunities; a trader who owns a lot of Ether, for instance, might want to utilize an application on another currency’s blockchain without needing to sell the Ether (ETH) and acquire the other currency.
The huge amount of crypto flowing across the cross-chain bridges makes them valuable targets. Up to 10 hacks, this year have involved bridges, resulting in losses of $1.3 billion, based on Chainalysis. This technology is “highly complicated, and complexity is the enemy of security,” according to one founder of the crypto security company Halborn, Steve Walbroehl.
Beanstalk Had Several Vulnerabilities
Beanstalk was not developed as a cross-chain bridge. However, it had other vulnerabilities baked into its code.
The project’s inner operations were nearly comically obscure. A white paper highlighting its mechanics features 61 pages of charts, graphs, and mathematical equations (and a quote from Alexander Hamilton’s letters).
One passage lifted from the guide to the platform known as the Farmers’ Almanac, reads:
“The number of Pods that grow from 1 Sown Bean is determined by the Temperature — the Beanstalk-native interest rate — at the time of Sowing.”
Essentially, Beanstalk let people deposit tens of millions of dollars in virtual currency into a Software network that generated significant interest and assisted in the maintenance of the value of a stablecoin known as a bean.
The project did not operate as a traditional start-up. Just like most crypto founders, Mr. Weintraub and his partners, Michael Montoya, 24, and Brendan Sanderson, 25, kept their identities secret. They called themselves Publius, a homage to the authors of the Federalist Papers.
When the software was unleashed in August 2021, the users who deposited their cryptocurrency got votes in an investor collective known as a decentralized autonomous organization (DAO) that had to agree to alter the software.
Beanstalk’s cumulative governance was primarily its undoing. In April, a hacker borrowed a staggering $1 billion of crypto from another DeFi project, Aave. That transaction was a flash loan.
By description, a flash loan is a lightning-fast procedure where a crypto user borrows funds without needing to post any collateral. The user then makes a trade and instantly pays back the loan, keeping all profits generated from the series of concurrent exchanges.
The code that Mr. Weintraub and his colleagues had designed lacked a mechanism for stopping anyone from using a flash loan to take over the platform. Hence, the attacker used the $1 billion to acquire a massive stake in the Beanstalk DAO, entirely controlling the software’s governance. The hacker later transferred everyone’s funds – up to $200 million – out of the Beanstalk system.
Panic ensued with one Beanstalk user declaring on YouTube:
“I lost $1 million today. It happened through beans.”
Some of the users suspect that Mr. Weintraub and his colleagues were behind this attack – a classic ‘rug pull’ where developers flee with investors’ money. Mr. Weintraub said:
“The pitchforks were out. It felt like death.”
Eventually, he decided to continue the project. They reported that theft to the FBI and held lengthy calls with Beanstalk investors and enthusiasts to find the way forward. Weintraub and his colleagues revealed their identities for the first time in an April 2022 post on the chat forum Discord. That was a risky move since they became vulnerable to lawsuits from users and regulatory scrutiny.
In the last several months, the Beanstalk DAO has strived to restart the project, recruiting blockchain analysis companies to assist in tracking down the lost funds. The team also hired the Halborn security firm that is now reviewing the code to get rid of all vulnerabilities. Beanstalk officially reopened in August.
These comeback efforts are mostly common in crypto. Mr. Weintraub commented:
“We’ve always been so transparent with the community that this is an experiment. We’re all figuring this out together.”
The stolen funds are still missing as of September 2022.