Beanstalk Farms Loses $182M Following Exploit

Ethereum-based stablecoin protocol Beanstalk Farms has lost its $182 million total value locked (TVL) following a flash loan attack on Sunday, the company said in a post mortem on 17 April.

According to blockchain security firm PeckShield, the attacker was able to get away with around $80 million in various crypto assets, which caused the BEAN stablecoin to collapse from its $1 peg. Even though the attacker obtained around 24,830 ETH and 36 million BEAN, the total loss for the project is around $182 million. PeckShield tweeted:

While hacks and exploits are nothing new in the DeFi world, this time the malicious entity used the protocol’s governance against it. According to the summary, the attacker used a flash loan to accumulate a large amount of Beanstalk’s native governance token STALK, which he then used to pass his own governance proposals (BIP-18 and BIP-19). These proposals asked the protocol to donate funds to Ukraine, but instead sent the funds to the attackers wallet.

The attacker, however, did send 250,000 USDC to the Ukraine Crypto Donation wallet. He also laundered all of the stolen funds through Tornado Cash, which allows users to obfuscate crypto transactions.

In its post mortem, Beanstalk explained that its smart contracts have gone through a security audit from blockchain security firm Omnicia, however that was completed prior to introducing the flash loan vulnerability the attacker used. The team behind the project has reached out to the Federal Bureau of Investigation, stating it will “fully cooperate with them”, and has also asked the wider DeFi community to help it limit the attackers ability to withdraw funds through centralized exchanges (CEXs).