The stablecoin protocol’s own governance proposal system was abused, allowing malevolent actors to withdraw the protocol’s whole $182 million in collateral.
Beanstalk Farms, a credit-based stablecoin platform, lost all of its $182 million collateral following a security breach triggered by two nefarious governance proposals and a flash loan attack.
The protocol’s vulnerability was sown by dubious governance proposals BIP-18 and BIP-19 made on April 16 by an exploiter requesting that the protocol contribute monies to Ukraine. However, those proposals included a malicious rider, which ultimately resulted in the protocol’s sinkhole of cash, according to smart contract auditor BlockSec.
At 12:24 p.m. UTC, the latest security breach of a decentralised finance (DeFi) protocol occurred. At the moment, the exploiter obtained a $1 billion loan from the AAVE (AAVE) protocol in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They utilised these sums to amass sufficient riches to seize control of the protocol and accept their own plans.
We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
A flash loan must be executed and repaid within a single block and frequently requires the execution of multiple smart contracts simultaneously. In the past, flash loans have been used to carry out hacks or security attacks on other protocols. Beanstalk Farms is an Ethereum-based decentralised algorithmic stablecoin issuing platform.
Technically, this was not a hack, as the smart contracts and governance protocols worked as intended. Their design flaws were exploited, as project spokesperson “Publius” admitted during a meeting on April 18th:
“It’s unfortunate that the same governance structure that enabled beanstalk to prosper also proved to be its downfall.”
PeckShield, a blockchain security analysis organisation, warned the Beanstalk team through Twitter on April 17 at 12:41pm UTC that there may be a concern with the alarming statement: “Hello, @beanstalkFarms. Perhaps you’d like to have a look.”
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
It was too late at that time. According to PeckShield, the exploiter had already stolen approximately $80 million in Ether (ETH) and Beans (BEAN), while the entire protocol lost its $182 million in total value locked (TVL). BEAN is now trading at $0.17 on CoinGecko, but dipped to $0.06 after the exploiter dumped their tokens.
To conceal their digital footprints, the exploiter exchanged BEAN for ETH and subsequently delivered the funds to Tornado Cash. They did, however, send 250,000 USDC to Ukraine’s Crypto Donation wallet.
At 11:49 p.m. UTC on April 17, Publius stated that the initiative is almost certainly doomed due to a lack of venture capital backing to recoup losses, adding, “We are f**ked.”
Publius doxxed the three individuals that developed the project during a team and community meeting on the Beanstalk Discord channel on April 18. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, who met at the University of Chicago and came up with the idea for Beanstalk Farms.
Montoya stated that the team had contacted the Federal Bureau of Investigation’s (FBI) Crime Center and would “cooperate completely with them in locating the criminals and recouping funds.”
The team has halted the protocol’s smart contracts and cancelled all governance privileges.
Despite their own enormous personal losses, the Beanstalk community has been overwhelmingly supportive of the team during this tough time. However, community member “Astrabean” believes the team should take greater ownership of the attack rather than accepting it as an honest error from which the project must learn. “I would have wanted you, as leaders, to accept responsibility for what happened,” he stated.
“CharlieP,” a community member, shared those concerns about protocol trust. “Are you saying you have no responsibility for this endeavour?” he inquired of the crew. If that is the case, who are we to believe will prevent this from happening again?”
Publius answered that the project was merely an experiment in open-source code, not a business, and that neither he nor the team should be held responsibility for what occurred. He continued,
“Asking us to accept responsibility is completely unacceptable.”
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.