Beanstalk Farms Loses $182M Following Exploit

  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
beanstalk farms

Shutterstock

Ethereum-based stablecoin protocol Beanstalk Farms has lost its $182 million total value locked (TVL) following a flash loan attack on Sunday, the company said in a post mortem on 17 April.

According to blockchain security firm PeckShield, the attacker was able to get away with around $80 million in various crypto assets, which caused the BEAN stablecoin to collapse from its $1 peg. Even though the attacker obtained around 24,830 ETH and 36 million BEAN, the total loss for the project is around $182 million. PeckShield tweeted:

While hacks and exploits are nothing new in the DeFi world, this time the malicious entity used the protocol’s governance against it. According to the summary, the attacker used a flash loan to accumulate a large amount of Beanstalk’s native governance token STALK, which he then used to pass his own governance proposals (BIP-18 and BIP-19). These proposals asked the protocol to donate funds to Ukraine, but instead sent the funds to the attackers wallet.

The attacker, however, did send 250,000 USDC to the Ukraine Crypto Donation wallet. He also laundered all of the stolen funds through Tornado Cash, which allows users to obfuscate crypto transactions.

In its post mortem, Beanstalk explained that its smart contracts have gone through a security audit from blockchain security firm Omnicia, however that was completed prior to introducing the flash loan vulnerability the attacker used. The team behind the project has reached out to the Federal Bureau of Investigation, stating it will “fully cooperate with them”, and has also asked the wider DeFi community to help it limit the attackers ability to withdraw funds through centralized exchanges (CEXs).

Discussion
Related Coverage
Osmosis Suffers $5M Liquidity Pool Exploit
  • Osmosis’ bug allowed users to add liquidity to any of its liquidity pools, and immediately withdraw 150% of their initial investment.
  • The DEX noted that four individuals were responsible for 95% of the stolen funds, and that two have already volunteered to return $2 million.
June 9, 2022, 1:02 PM
exploit

Shutterstock

Token Bridge Wormhole Exploited for $334M
  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.
Qubit Finance Exploited for $80M
  • The attacker used a deposit option in the QBridge smart contract to create a “huge amount of xETH collateral”, which he used to borrow BNB on the Binance Smart Chain.
  • The Qubit team has contacted the attacker, and offered him the maximum reward it could give if he returns the stolen funds.