Beanstalk Farms, an Ethereum-based stablecoin protocol, was targeted by cyber-attackers who stole $80 million in tokens in one of the biggest flash-loan exploits ever. The security breach was executed by two sinister governance proposals together with a flash loan attack.
In decentralized finance (DeFi), flash loans are made when users manage to borrow huge amounts of stablecoins without providing any collateral. That is something that is not possible in the traditional lending space.
In that context, Beanstalk saw its governance proposal network exploited heavily enabling the malicious individuals to extract all available money in collateral. This issue with the stablecoin protocol was seeded by various suspicious governance proposals BIP-18 and BIP-19 issued on April 16 by the hacker who asked for the protocol to donate some of the funds to Ukraine.
Nonetheless, these proposals had a malicious rider hidden within them which in the end created the sinkhole of funds from the protocol, as highlighted by the smart contract auditor BlockSec.
This security breach of decentralized finance (DeFi) protocol took place at 12:24 pm UTC. At that time, the criminal took out $1 billion in flash loans from the AAVE protocol denominated in DAI, USD Coin, and Tether stablecoins.
They utilized these funds to acquire enough assets enabling them to take over 67% of the protocol’s governance and then approve their proposals.
We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
A flash loan has to be executed and repaid within a single block and calls many smart contracts concurrently to complete. Flash loans have been used previously to execute hacks and security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin-issuing platform underpinned by Ethereum.
Therefore, this case was technically not a hack because the smart contracts and governance processes functioned optimally. Problems and shortcomings in their design were exploited, and the project spokesperson “Publius” acknowledged the incident in a meeting on April 18, where he said:
“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
PeckShield blockchain security analysis firm alerted the Beanstalk team via Twitter at 12:41 pm UTC on April 17 about the incident:
“Hi, @beanstalkFarms, you may want to take a look.”
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
At that point, it was already too late. The criminal had made away with a whopping $80 million on Ether (ETH) and Beans (BEAN) tokens while the entire protocol was reported to have lost $182 million in total value locked (TVL) according to PeckShield.
BEAN is still down by around 80% trading below $0.19 according to CoinGecko data but bottomed at $0.06 when the hacker dumped most of their tokens.
How The Beanstalk Exploiter Executed The Plan
The criminal exchanged BEAN for ETH and then sent these coins to Tornado Cash to cover all their digital tracks. Nonetheless, they sent 250,000 USDC to the Ukraine Crypto Donation wallet. At 11:49 pm UTC on April 17, Publius said that the Beanstalk project might be lost since no venture capital backing is available to recover from these losses. He said: “We are f**ked.”
In the April 18 official meetings on the Beanstalk Discord channel, Publius introduced the three individuals who developed the project. They include Michael Montoya, Benjamin Weintraub, and Brendan Sanderson. All of them went to the University of Chicago where the idea of Beanstalk Farms came up.
Montoya said that the Beanstalk team consulted the Federal Bureau of Investigation (FBI) Crime Center services and would:
“Fully cooperate with them to track down the perpetrators and recover funds.”
The protocol’s smart contracts have been stopped and governance privileges revoked by the team. They have not responded to the issue of whether the FBI has any legal right or mandate to help them resolve this matter. Nonetheless, Publius believes that it is a form of theft that has to be investigated thoroughly.
On that note, the Beanstalk community has been mostly supportive of the developers in its current difficult times despite the huge personal losses. But, one community member called “Astrabean” is convinced that the team has to take more responsibility for the attack instead of accepting everything that took place to be an honest mistake that the project has to recover and move on from. He added:
“I would have wanted you as leaders to take accountability for what happened.”
On the flip side, “CharlieP” reiterated worries about trust in the protocol. He insistently asked the Beanstalk Farms team:
“Are you saying you have no responsibility for this endeavor? If that’s the case, who are we to trust that this is not going to happen again?”
Publius answered that the project is just an open-source code experiment, and not yet a business. He explained that neither he nor the Beanstalk team should be held accountable for everything that happened. He added:
“When you ask us to take responsibility, it’s really inappropriate.”