Over the weekend, the decentralized protocol Beanstalk suffered an $80 million hacking attack.
The hacker attack on the DeFi Beanstalk platform
The attackers exploited a flaw in the protocol, resulting in a loss of $180 million in crypto. However, they were only able to collect $80 million due to the collapse in value of the BEAN token.
Compared to its pre-hack value, BEAN lost more than 90% of its value in about two hours, which also reduced the hackers’ real profit.
The hackers had managed to steal 24,830 ETH and more than 36 million BEAN, the stablecoin of the Beanstalk protocol.
The current value of the stolen ETH tokens is about $75.5 million, while the stolen BEAN were initially worth about $36 million, but have now been reduced to a tenth of that.
The stolen tokens were laundered using Tornado Cash mixing.
The overall loss to the Beanstalk protocol therefore remains at around $180 million, while the hackers’ net take was $80 million. The missing 100 million is due in total to the loss of value of the BEAN tokens, as its market capitalization fell from $109 million before the hack to the current $6.6 million.
The hackers’ strategy
The administrator of Beanstalk’s Discord server, Publius, went on to explain that the hackers had opened a flash loan on Aave with which they purchased a large amount of Beanstalk’s native governance token, STALK.
In doing so, they came to own more than 67% of all the governance tokens, an absolute majority of the votes, with which they effectively forced a change in the decentralized governance of the protocol by which all assets locked in Beanstalk’s smart contract were transferred to their own wallet.
Decentralized protocols with decentralized governance inevitably give whoever holds the absolute majority of the governance tokens the power to push through any changes to the rules of the protocol. It’s essentially as if someone gains full control of the protocol itself.
At that point, one of the things that the person with the absolute majority of votes can do is to impose new rules allowing the transfer of funds to their wallets.
While this type of attack caused the protocol’s native tokens to lose enormous market value, it had no impact on the collateral, so much so that while BEAN’s value plummeted 90% in a few hours, ETH’s was actually rising.
ETH is capitalized at $367 billion, more than three thousand times BEAN’s market capitalization.
Beanstalk did not have adequate measures in place to resist such attacks financed by flash-loans, so the hacker was able to exploit this flaw in the protocol.
It is worth noting that flash loans make it possible to borrow even very large amounts of tokens without having to pledge collateral, because they are properly self-extinguishing when they are created.
The problem, therefore, does not lie in flash loans on Aave, but in the lack of adequate measures to prevent similar attacks in DeFi protocols that are not widely tested and consolidated. BEAN, for instance, appeared on the crypto markets less than a year ago.
At the moment, it is not known whether the Beanstalk protocol will be able to function properly again, i.e. whether BEAN’s value will return to parity with the dollar.
Source: https://en.cryptonomist.ch/2022/04/19/beanstalk-hacked-80-million-stolen/