1.9 k

Beanstalk Farms Loses $182M to Hack, What happened? 

Earlier this week, Ethereum-based stablecoin project Beanstalk Farms suffered losses totaling $182 million after falling victim to a governance exploit.

This is the second DeFi protocol to experience a breach in security since the start of this month. The attackers drained Beanstalk Farms of all its collateral funds and the token’s price fell soon after. The BEAN stablecoin lost about 86% of its value which originally rested at $1.

How did the Attack Occur?

Behind the breach were 2 suspicious  governance proposals as well as a flash loan attack. Flash loans are a new form of lending that utilize smart contracts to facilitate uncollateralized loans. Setting this system apart is the fact that the exchange must complete within a single block.

The Beanstalk hacker took out a $1B loan from Ethereum-based lending platform AAVE at 12:24 pm UTC. With these funds, they were able to obtain a large quantity of Beanstalk Farms’ native governance token. This move placed them in control of about 67% of the project’s governance.

Following this, they were able to approve the 2 malicious proposals they had issued. Namely, the BIP-18 and BIP-19, these proposals appeared relatively innocent, requesting donations for Ukraine in its ongoing war. Post-approval the attacker then drained the collateral funds into an external wallet.

The flash loan comprised USD Coin (USDC), Dai (DAI), and Tether (USDT) stablecoins. In a Twitter report about the exploit, blockchain security company PeckShield broke down the attacker’s loot. They were able to steal 24,830 native Ethereum tokens (ETH) in addition to 36m Bean (BEAN).

The security firm noted the attack and alerted Beanstalk. They also pointed out that the attacker did send 250,000 USDC to a wallet address receiving Ukraine relief funds. 

The Beanstalk Team’s Response

Following the attack, Beanstalk tweeted its confirmation noting that an investigation was already underway and an official announcement was forthcoming. They later shared that they were working to forge ahead following the exploit.

The team has declined to confirm whether users will receive a refund, Publius, one of the project leads, shared more information on Discord. The Beanstalk explicit technically isn’t a hack as the attacker leveraged certain openings in the system which functioned as expected.

Publius acknowledged and bemoaned this, also pointing out that it could lead to the project’s collapse. Beanstalk does not enjoy the backing of any venture capitalists, and thus has no bailout in sight. More information on reimbursement will become public during a town hall event set for Sunday.

The developers have since been doxxed namely Benjamin Weintraub, Brendan Sanderson, and Michael Montoya. Montoya shared with the project’s community that they had contacted the FBI and would aid their investigative efforts with complete cooperation.

Interestingly, the team has declared themselves blameless in the attack. This kicked up an uproar in the community with Publius arguing that it was inappropriate to expect them to take responsibility. The spokesman stated that the team could not be held accountable.

Ethereum live price
price change

Beanstalk Farms was an open-source protocol that the team did not manage as a business he said. As stated earlier this is yet another addition to a series of attacks on DeFi protocols in recent times. It is interesting to note that flash loans have grown even more popular in recent times as a tool for hackers to perform exploits.

Stay up to date with our latest articles