The credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral in a security breach caused by two sinister government proposals and a flash loan attack.
The problem for the protocol was seeded by the suspicious BIP-18 and BIP-19 government proposals issued on April 16 by the exploiter, which called for the protocol to donate funds to Ukraine.. However, those proposals had a malicious clause attached to them that ultimately created the protocol’s fund sink, according to the smart contract auditor. BlockSec.
This latest security breach of a decentralized finance (DeFi) protocol took place at 12:24 pm UTC. At that moment, The exploiter took out $1 billion in flash loans from the AAVE protocol (AAVE) denominated in stablecoins DAI (DAI), USD Coin (USDC), and Tether (USDT). He used these funds to amass enough assets to take over 67% of the protocol government and pass his own proposals..
We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
We are committing all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and on-chain analytics experts to help us limit the ability of the culprit to withdraw funds via CEX. If the exploiter is open to discussion, so are we. https://t.co/fwceVz6hbi
A flash loan must be executed and repaid within a single block and usually calls multiple smart contracts at once to complete.. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin issuance platform on Ethereum.
This case was not technically a hack, as the smart contracts and governance procedures worked as designed. They took advantage of flaws in their designwhich the spokesman for the “Publius” project acknowledged in a meeting on April 18 when he said:
“It is unfortunate that the very governance procedure that made beanstalk successful was ultimately its undoing.”
The blockchain security analysis firm PeckShield notified the Beanstalk team via Twitter at 12:41pm UTC on April 17 that there might be a problem with the ominous statement: “Hey @beanstalkFarms, you might want to take a look.”
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
Our initial analysis shows @BeanstalkFarms’ loss to be ~182 million dollars! This is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
At that point, it was too late. The exploiter had already made off with about $80 million in Ether (ETH) and Beans (BEAN) while the entire protocol lost its $182 million in Total Value Locked (TVL)according to PeckShield. BEAN is currently down 83%, trading at $0.17, according to CoinGecko, but sank to $0.06 as the originator dumped its tokens.
The exploiter exchanged BEAN for ETH and then sent the coins to Tornado Cash to cover his fingerprints. However, he also sent 250,000 USDC to Ukraine’s Crypto Donation wallet.
At 11:49 pm UTC on April 17, Publius wrote that the project is probably lost as there is no venture capital backing to recoup the losses, adding “We’re screwed.”.
In a team and community meeting on the Beanstalk Discord channel on April 18, Publius doxxed the three people who developed the project. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, who attended the University of Chicago together and conceived Beanstalk Farms.
Montoya said that the team had contacted the Federal Bureau of Investigation (FBI) Crime Center and that it would “fully cooperate with them in locating the perpetrators and recovering the funds”.
The protocol’s smart contracts have been paused and all governance privileges have been revoked by the team.
The team did not respond when Cointelegraph asked if they think the FBI has any legal recourse to help them, but Publius thinks this is definitely a robbery that needs to be investigated.
The Beanstalk community has been overwhelmingly supportive of the team through these difficult times, despite their tremendous personal losses.. However, community member “Astrabean” believes that the team should take more responsibility for the attack rather than accept what happened as an honest mistake that the project needs to get out of. He stated that “I would have liked that, as leaders, they would take responsibility for what happened.”
Community member “CharlieP” echoed those concerns about trust in the protocol.. He asked the team: “Are you saying that you have no responsibility in this company? If so, who are we going to trust so that this does not happen again?”
Publius responded that the project is just an open source experiment, not a business, and neither he nor the team should be held responsible for what happened.. And he added,
“When we are asked to take responsibility, it is really inappropriate.”
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.