Beanstalk Farms Suffers Exploit Leading to $182 Million Loss

Wahid.jpg.optimal

Beanstalk Farms is the latest project to fall victim to a security breach losing all of its $182 million collateral in the process.

The credit-based stablecoin protocol was hit by a combination of two sinister governance proposals and a flash loan attack.

A flash loan must be executed and repaid within a single block and usually calls on several smart contracts at once to complete. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is based on Ethereum.

According to blockchain security firm PeckShield, the attacker potentially made away with 24,830 Ethereum (ETH) and 36m Bean (BEAN) in the breach. 

Beanstalk confirm attack

Confirming the attack, Beanstalk Farms wrote that they are “engaging all efforts to try to move forward.”

“As a decentralized project, we are asking the DeFi [decentralized finance] community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well,” said a spokesman for Beanstalk Farms. 

Bailout unlikely

Since the attack, BEAN is down by 78.3% and is trading at $0.21. Publius, a core member of the team on Discord, said that the incident could lead to the demise of the asset. “This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming.”

PeckShield chronicled the nature of the attack, pointing out that it began with the passing of BIP-18 and BIP-19 which sought to donate funds to war-torn Ukraine. 

Both Peckshield and the protocol’s auditor BlockSec agree that the proposals contained malicious code designed to “drain the pool’s fund.”

According to Block Sec, the attacker waited for a day after the passing of the emergency period to invoke the emergencyCommit. 

To bypass the two-third voting majority, the hacker deposited tokens into the Diamond contract that allowed him to borrow flash loans and deposit into the contract to get voting power. 

One-of-a-kind attack

With almost 79% of the voting power, the attacker drained the funds in what has been described as a one-of-a-kind attack. On-chain data indicates that the attacker sent 250,000 USD Coin (USDC) to an address affiliated with Ukraine’s donation efforts. 

“The same governance procedure that put Beanstalk in a position to succeed was ultimately its undoing,” said Publius.

The project’s team has since said they are not to be blamed for the attack. Their stance whipped up controversy in the community with members demanding they take responsibility for the incident.

“When you ask us to take responsibility, it’s really inappropriate,” said Publius. He argued that Beanstalk Farms was an open-source code project and was not run as a business so the team should be absolved of any wrongdoing.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.

Share Article

Wahid loves to write, especially about Crypto and Blockchain. He started his blogging journey in 2017 and turned to crypto in 2019. Wahid is interested in tech, chess and DeFi. He aims to promote decentralization to everyone on the planet.

Follow Author