Beanstalk Farms became the latest high-profile Decentralized Finance (DeFi) exploit as malicious actors exploited the protocol’s governance system to extract all of its collateral.
A Sinister Governance Proposal
Beanstalk farms lost $182 million of collateral, becoming the second nine-figure DeFi exploit in a month, thanks to a security breach caused by two governance proposals and a flash loan attack. At the root of the exploit were two suspicious governance proposals, BIP-18 and BIP-19, which were issued by the attacker on the 19th of April. The proposals seemed innocuous enough, asking for the protocol to donate funds to Ukraine.
However, the proposals had a malicious rider, which ultimately allowed the hacker to drain all of the funds from the protocol, according to an analysis by smart contract auditor BlockSec. Beanstalk took to Twitter to acknowledge the attack and stated that the protocol would announce the attack shortly.
“Beanstalk suffered an exploit today. The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.”
As a result of the attack, Beanstalk’s BEAN stablecoin collapsed and is currently down by 86.5%, according to data by CoinGecko. Just a few weeks back, the community was wrecked by another 9-figure DeFi hack in the Ronin exploit.
Details Of The Attack
The security breach occurred at 12:24 pm UTC when the attacker took out $1 billion in flash loans from AAVE, which were denominated in USD Coin (USDC), DAI (DAI), and Tether (USDT) stablecoins. The hacker then utilized these funds to acquire assets, take over 67% of Beanstalk Farm’s governance, and approve their own proposals. Beanstalk Farms tweeted they were open to discussions with the hacker,
“We’re engaging in all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well.”
The attack was flagged by security analysis firm PeckShield, which notified the Beanstalk team. However, the attacker had already siphoned off nearly $80 million in ETH and BEAN. However, the loss to the protocol was far greater as it lost all of its $182 million in total locked value (TVL). Once the attacker had the funds, they sent them to Tornado Cash, but not before they sent 250,000 USDC to Ukraine’s crypto donation wallet.
Flash Loans A Convenient Tool For Exploits
Flash loans have enabled hackers to perform security exploits on other protocols in the past as well. However, in the case of Beanstalk Farms, the events cannot be technically described as a hack, as all governance procedures and smart contracts functioned as intended. However, the hacker was able to exploit certain flaws in their design. Project Spokesperson “Publius” acknowledged these flaws stating,
“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
Is There A Way Back For Beanstalk?
Project Spokesperson Publius was quite downbeat regarding the project’s future, writing that the project, in all probability, is lost since it has no backing from venture capitalists. In further developing the unfolding events, Publius doxxed the developers of the project, identifying them as Benjamin Weintraub, Brendan Sanderson, and Michael Montoya. Montoya stated to the community that the Beanstalk team had reached out to the FBI and would fully cooperate in any investigation.
A Few Rumblings In A Supportive Community
The Beanstalk community has been fairly supportive of the team and the project thus far, despite their significant losses. However, some community members have publicly stated that the team should take more responsibility for the attack. However, Publius responded, stating that the project is an open-source code experiment and that neither the team nor he should be held accountable.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://cryptodaily.co.uk/2022/04/beanstalk-farm-loses-182-m-through-governance-exploit