Beanstalk Farms suffers a $182 million loss due to a DeFi governance exploit

The stablecoin protocol’s own governance proposal system was abused, allowing malevolent actors to withdraw the protocol’s whole $182 million in collateral.

Beanstalk Farms, a credit-based stablecoin platform, lost all of its $182 million collateral following a security breach triggered by two nefarious governance proposals and a flash loan attack.

The protocol’s vulnerability was sown by dubious governance proposals BIP-18 and BIP-19 made on April 16 by an exploiter requesting that the protocol contribute monies to Ukraine. However, those proposals included a malicious rider, which ultimately resulted in the protocol’s sinkhole of cash, according to smart contract auditor BlockSec.

At 12:24 p.m. UTC, the latest security breach of a decentralised finance (DeFi) protocol occurred. At the moment, the exploiter obtained a $1 billion loan from the AAVE (AAVE) protocol in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They utilised these sums to amass sufficient riches to seize control of the protocol and accept their own plans.

A flash loan must be executed and repaid within a single block and frequently requires the execution of multiple smart contracts simultaneously. In the past, flash loans have been used to carry out hacks or security attacks on other protocols. Beanstalk Farms is an Ethereum-based decentralised algorithmic stablecoin issuing platform.

Technically, this was not a hack, as the smart contracts and governance protocols worked as intended. Their design flaws were exploited, as project spokesperson “Publius” admitted during a meeting on April 18th:

“It’s unfortunate that the same governance structure that enabled beanstalk to prosper also proved to be its downfall.”

PeckShield, a blockchain security analysis organisation, warned the Beanstalk team through Twitter on April 17 at 12:41pm UTC that there may be a concern with the alarming statement: “Hello, @beanstalkFarms. Perhaps you’d like to have a look.”

It was too late at that time. According to PeckShield, the exploiter had already stolen approximately $80 million in Ether (ETH) and Beans (BEAN), while the entire protocol lost its $182 million in total value locked (TVL). BEAN is now trading at $0.17 on CoinGecko, but dipped to $0.06 after the exploiter dumped their tokens.

To conceal their digital footprints, the exploiter exchanged BEAN for ETH and subsequently delivered the funds to Tornado Cash. They did, however, send 250,000 USDC to Ukraine’s Crypto Donation wallet.

At 11:49 p.m. UTC on April 17, Publius stated that the initiative is almost certainly doomed due to a lack of venture capital backing to recoup losses, adding, “We are f**ked.”

Publius doxxed the three individuals that developed the project during a team and community meeting on the Beanstalk Discord channel on April 18. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, who met at the University of Chicago and came up with the idea for Beanstalk Farms.

Montoya stated that the team had contacted the Federal Bureau of Investigation’s (FBI) Crime Center and would “cooperate completely with them in locating the criminals and recouping funds.”

 

The team has halted the protocol’s smart contracts and cancelled all governance privileges.

Despite their own enormous personal losses, the Beanstalk community has been overwhelmingly supportive of the team during this tough time. However, community member “Astrabean” believes the team should take greater ownership of the attack rather than accepting it as an honest error from which the project must learn. “I would have wanted you, as leaders, to accept responsibility for what happened,” he stated.

“CharlieP,” a community member, shared those concerns about protocol trust. “Are you saying you have no responsibility for this endeavour?” he inquired of the crew. If that is the case, who are we to believe will prevent this from happening again?”

Publius answered that the project was merely an experiment in open-source code, not a business, and that neither he nor the team should be held responsibility for what occurred. He continued,

“Asking us to accept responsibility is completely unacceptable.”

 

Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.

Leave a Comment

Your email address will not be published.

Facebook
Twitter
Telegram

Recent Posts

Follow Us