DeFi protocol Beanstalk loses $180M in exploit, hacker gains $80M

DeFi protocol Beanstalk Farms lost over $180 million to malicious players due to an exploit on April 17 that allowed a hacker to pass a governance proposal.

The Ethereum-based stablecoin protocol’s exploit left several tokens missing and saw its U.S. dollar-pegged stablecoin drop below the $1 mark.

Beans protocol exploited

Blockchain security company PeckShield first reported the hack on Twitter and said a hacker stole more than $80 million by exploiting Beanstalk Farms.

The hacker used flash loans to obtain a large amount of Beanstalk STALK tokens, which gave them enough voting power to pass a governance proposal that drained all the funds on the protocol into the hacker’s wallet.

The hacker then paid back the flash loans from Aave, Uniswap V2, and Sushiswap and converted the funds to Wrapped ETH. The stolen funds were then sent through the Tornado Cash mixer. The hacker also donated some of his stolen crypto to Ukraine.

 

Flash loan exploits are common

Beanstalk Farms’ exploit is not the first time attackers have exploited flash loans. According to the attack summary posted on the Beanstalk Discord server, the exploit happened because Beanstalk failed to:

“use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP.”

The blockchain Security firm responsible for auditing Beanstalk smart contracts, Omnicia, said Beanstalk launched the code with the flash loan vulnerability after its audit. It added in a postmortem analysis of the attack that it had not yet audited the exploited code.

Given the prevalence of flash loans exploits in the DeFi space, it’s surprising that Beanstalk introduced the code without proper auditing.

In addition, there are concerns about whether the protocol will reimburse users. Beanstalk Farms said it will provide more updates at its next town hall meeting.

The hack comes only a few weeks after a Ronin bridge exploit lost over $600 million on Axie Infinity in March.

Meanwhile, Tornado Cash’s use by hackers has given rise to criticism for its lack of effort in preventing fraud. The ETH mixer recently said it is using the Chainanalysis Oracle contract to block addresses sanctioned by the Office of Foreign Assets Control (OFAC) from using its services.

Posted In: Ethereum, Hacks
Symbiosis

Source: https://cryptoslate.com/defi-protocol-beanstalk-loses-180m-in-exploit-hacker-gains-80m/