Beanstalk Farms Loses $182M Following Exploit

  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
beanstalk farms

Shutterstock

Ethereum-based stablecoin protocol Beanstalk Farms has lost its $182 million total value locked (TVL) following a flash loan attack on Sunday, the company said in a post mortem on 17 April.

According to blockchain security firm PeckShield, the attacker was able to get away with around $80 million in various crypto assets, which caused the BEAN stablecoin to collapse from its $1 peg. Even though the attacker obtained around 24,830 ETH and 36 million BEAN, the total loss for the project is around $182 million. PeckShield tweeted:

While hacks and exploits are nothing new in the DeFi world, this time the malicious entity used the protocol’s governance against it. According to the summary, the attacker used a flash loan to accumulate a large amount of Beanstalk’s native governance token STALK, which he then used to pass his own governance proposals (BIP-18 and BIP-19). These proposals asked the protocol to donate funds to Ukraine, but instead sent the funds to the attackers wallet.

The attacker, however, did send 250,000 USDC to the Ukraine Crypto Donation wallet. He also laundered all of the stolen funds through Tornado Cash, which allows users to obfuscate crypto transactions.

In its post mortem, Beanstalk explained that its smart contracts have gone through a security audit from blockchain security firm Omnicia, however that was completed prior to introducing the flash loan vulnerability the attacker used. The team behind the project has reached out to the Federal Bureau of Investigation, stating it will “fully cooperate with them”, and has also asked the wider DeFi community to help it limit the attackers ability to withdraw funds through centralized exchanges (CEXs).

Discussion
Related Coverage
Ankr’s Exploit Enabled an Attack on Stablecoin Issuer Helio
  • A hacker targeted a vulnerability in DeFi protocol Ankr to mint trillions of aBNBc tokens, which he eventually swapped for 5 million USDC.
  • The event caused the price of aBNBc to plummet by 99%, which allowed another individual to steal $15.5 million from stablecoin issuer Helio as it did not have up-to-date pricing on aBNBc.
December 2, 2022, 1:35 PM
hack

Shutterstock

BitKeep’s Swap Service Exploited for $1 Million
  • The attacker was able to make illegitimate swaps from BitKeep addresses that had approved tokens on the wallet’s Swap router on BSC and Polygon.
  • The platform noted it will launch a compensation portal within three days, and reimburse 100% of the tokens stolen from users.