Beanstalk Farms, a credit-based stablecoin protocol, lost all of its $182 million in a decentralised finance (DeFi) due to a security breach caused by two sinister governance proposals and a flash loan attack.
The protocol’s problem was sown by suspicious governance proposals BIP-18 and BIP-19 issued on April 16 by the exploiter who requested that the protocol donate funds to Ukraine. According to smart contract auditor BlockSec, those proposals had a malicious rider attached to them, which ultimately created the sinkhole of funds from the protocol.
At 12:24 p.m. UTC, a security breach in a decentralised finance (DeFi) protocol occurred. At the time, the exploiter borrowed $1 billion from the AAVE (AAVE) protocol in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They used these funds to amass enough assets to assume control of 67 percent of the protocol’s governance and approve their own proposals.
A flash loan must be executed and repaid within a single block and typically requires the completion of several smart contracts at the same time. In the past, flash loans were used to perform hacks or security exploits on other protocols. Beanstalk Farms is an Ethereum-based decentralised algorithmic stablecoin issuing platform.
Technically, this was not a hack because the smart contracts and governance procedures worked as intended. Flaws in their design were exploited, as project spokesperson “Publius” admitted in a meeting on April 18th:
“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
It was too late at that point. According to PeckShield, the exploiter had already made off with approximately $80 million in Ether (ETH) and Beans (BEAN), while the entire protocol had lost $182 million in total value locked (TVL).
To hide their digital footprints, the exploiter exchanged BEAN for ETH and then sent the coins to Tornado Cash. They did, send 250,000 USDC to the Ukraine Crypto Donation wallet.
On April 17, at 11:49 p.m. UTC, Publius wrote that the project is likely doomed because there is no venture capital backing to recoup losses, adding, “We are f**ked.”
On April 18, Publius doxxed the three individuals who created the project during a team and community meeting on the Beanstalk Discord channel. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, who met at the University of Chicago and came up with the idea for Beanstalk Farms.
Montoya stated that the team had contacted the FBI Crime Center and would “fully cooperate with them to track down the perpetrators and recover funds.”
The protocol’s smart contracts have been paused, and the team has revoked all governance privileges.
Despite their own tremendous personal losses, the Beanstalk community has been mostly supportive of the team during this difficult time. However, community member “Astrabean” believes the team should take more responsibility for the attack rather than accepting it as an honest mistake from which the project must move on. “I would have wanted you as leaders to take accountability for what happened,” he said.
Read more:
CeDeFi liquidity aggregator Fluid raises $10 million in funding from top venture capitalists