Beanstalk Farms loses $182M in DeFi governance exploit

Published at: April 18, 2022

Credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral from a security breach caused by two sinister governance proposals and a flash loan attack.

The problem for the protocol was seeded by suspicious governance proposals BIP-18 and BIP-19, which were issued on Saturday by the exploiter, who asked for the protocol to donate funds to Ukraine. However, those proposals had a malicious rider attached to them th ultimately created the sinkhole of funds from the protocol, according to smart contract auditor BlockSec.

This latest security breach of a decentralized finance (DeFi) protocol took place at 12:24 pm UTC. At that time, the exploiter took out $1 billion in flash loans from the Aave (AAVE) protocol denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They used these funds to accumulate enough assets to take over 67% of the protocol’s governance and approve their own proposals.

We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi

— Beanstalk Farms (@BeanstalkFarms) April 17, 2022

A flash loan must be executed and repaid within a single block and usually calls on several smart contracts to complete at once. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin issuing platform on Ethereum.

This case was technically not a hack as the smart contracts and governance procedures functioned as designed. Flaws in their design were exploited, which project spokesperson “Publius” acknowledged in a meeting on Monday when he said:

“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”

Blockchain security analysis firm PeckShield notified the Beanstalk team via Twitter at 12:41 pm UTC on Sunday that there might be an issue with the ominous statement: “Hi, @beanstalkFarms, you may want to take a look.”

Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot

— PeckShield Inc. (@peckshield) April 17, 2022

At that point, it was too late. The exploiter had already made off with roughly $80 million in Ether (ETH) and Beans (BEAN) while the entire protocol lost its $182 million in total value locked (TVL), according to PeckShield. BEAN is currently down about 83% trading at $0.17, according to CoinGecko but troughed at $0.06 when the exploiter dumped their tokens.

The exploiter swapped BEAN for ETH and then sent the coins to Tornado Cash to cover their digital tracks. However, they also sent 250,000 USDC to the Ukraine Crypto Donation wallet.

At 11:49 pm UTC on April 17, Publius wrote that the project is likely lost since there is no venture capital backing to recoup losses, adding “We are f**ked.”

In a team and community meeting on the Beanstalk Discord channel on April 18, Publius doxxed the three individuals who developed the project. They are Benjamin Weintraub, Brendan Sanderson and Michael Montoya, all of whom attended the University of Chicago together and conceived Beanstalk Farms. 

Montoya said that the team had reached out to the Federal Bureau of Investigation (FBI) Crime Center and would “fully cooperate with them to track down the perpetrators and recover funds.”

The protocol’s smart contracts have been paused and all governance privileges have been revoked by the team.

Related: North Korean Lazarus Group allegedly behind Ronin Bridge hack

The team did not respond when Cointelegraph asked if they believe the FBI has any legal recourse to help them, but Publius believes this is definitely a theft that should be investigated.

Beanstalk’s community has been mostly supportive of the team in the trying time despite their own tremendous personal losses. However, community member Astrabean believes the team should be taking more responsibility for the attack rather than accepting what happened as an honest mistake that the project must move on from. He stated that “I would have wanted you as leaders to take accountability for what happened.”

Community member CharlieP echoed those concerns about trust in the protocol. He asked the team “Are you saying you have no responsibility for this endeavor? If that’s the case, who are we to trust that this is not going to happen again?”

Publius responded that the project is just an open-source code experiment, not a business and that neither he nor the team should be held accountable for what happened. He added,

“When you ask us to take responsibility, it’s really inappropriate.”
Tags
Related Posts
yEarn Creator Says Recent Audits Don't Necessarily Mean the Project Is 100% Safe
Andre Cronje, the creator of Yearn.Finance, has recently made security audits of his project publicly available. He explained to Cointelegraph that he had been previously withholding these audits, which were completed months ago, so as to not give users a false sense of security: I always refused to publish the audits because I don't want people to get a false sense of security because of them. Yesterday, Cronje published five audits on the project's GitHub repository. The audits were performed between February and July by leading auditors, such as Certik and Quantstamp. Some of the vulnerabilities that were discovered are …
Technology / Aug. 20, 2020
ImmuneFi report $10B in DeFi hacks and losses across 2021
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year. Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitating seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises. According to the report, …
Decentralization / Jan. 7, 2022
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022
DeFi security: How trustless bridges can help protect users
Blockchain bridges allow decentralized finance (DeFi) users to use the same tokens across multiple blockchains. For example, a trader can use USD Coin (USDC) on the Ethereum or Solana blockchains to interact with the decentralized applications (DApps) on those networks. While these protocols may be convenient for DeFi users, they are at risk of exploitation by malicious actors. For example, in the past year, the Wormhole bridge — a popular cross-chain crypto bridge between Solana, Ethereum, Avalanche and others — was hacked, with attackers stealing over $321 million worth of wrapped Ethereum (wETH), the largest hack in DeFi history at …
Decentralization / Feb. 18, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023