The Verge reports, “Beanstalk cryptocurrency project robbed after hacker votes to send themself $182 million”.
On Sunday [2022-04-17], an attacker managed to drain around $182 million of cryptocurrency from Beanstalk Farms, a decentralized finance (DeFi) project aimed at balancing the supply and demand of different cryptocurrency assets. Notably, the attack exploited Beanstalk’s majority vote governance system, a core feature of many DeFi protocols.
The attack was spotted on Sunday morning by blockchain analytics company PeckShield, which estimated the net profit for the hacker was around $80 million of the total funds stolen, minus some of the borrowed funds that were required to perform the attack.
Beanstalk admitted to the attack in a tweet shortly afterward, saying they were “investigating the attack and will make an announcement to the community as soon as possible.”
The attacker(s) used another DeFi product, a “flash loan”, to obtain a stake sufficient to obtain control over the project, permitting majority confirmation of the transfer from its treasury.
According to analysis from blockchain security firm CertiK, the Beanstalk attacker used a flash loan obtained through the decentralized protocol Aave to borrow close to $1 billion in cryptocurrency assets and exchanged these for enough beans to gain a 67 percent voting stake in the project. With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit.
Based on the duration of an Aave flash loan, the entire process took place in less than 13 seconds.
“And, it’s gone."
In the project’s Discord server, many users claim to have lost tens of thousands of dollars of invested cryptocurrency. Since the attack, the hacker has been moving funds through Tornado Cash, a privacy-focused mixer service that has become a go-to step in laundering stolen cryptocurrency funds. With much of the stolen money now obscured, it’s unlikely to be traced and returned.
In the wake of the attack, the value of the BEAN stablecoin has tanked, breaking the $1 peg and trading for around 14 cents on Monday afternoon.
Many of these DeFi projects are based upon “proof of stake”, and Ethereum itself is planning to migrate to that system. This is in contrast to the “proof of work” protocol used by Bitcoin and present-day Ethereum, which has been criticised as being costly in energy expended. As the Wikipedia article on proof of stake notes, “Critics have argued that the proof of stake model is less secure compared to the proof of work model.” Looks like they might be on to something there.
Here is the Beanstalk “Exploit Town Hall” (audio only). I find this completely unlistenable.