Defi project beanstalk loses million attack

defi project beanstalk loses million attack

NEW YORK (BLOOMBERG) – Decentralised finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday (April 17), sending its price tumbling.

The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around US$182 million (S$248 million) and the attacker got away with around US$80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter.

The project’s native token Bean fell about 75 per cent from its US$1 peg against the dollar, pricing from CoinGecko showed.

The protocol’s creators disclosed their identities on Beanstalk’s Discord server, and said that they were not involved in the attack. “We are not aware of the identity of the individuals who were involved.

Defi project beanstalk loses $182 million in flash loan attack

According to BlockSec, this created the sinkhole of funds from the protocol.

The takeover took place at 12:24 pm UTC, at which time the exploiters withdrew $1 billion in flash loans from the AAVE protocol which is dominated by DAI (DAI), USD Coin (USDC), and Tether (USDT). This enabled the criminals to take over 67% of the protocol’s governance, allowing them to approve their own protocols.

This incident is not being regarded as a hack as all procedures were working as they should.
“Publius”, the spokesperson of the project stated that “It’s unfortunate that the same governance procedure that put Beanstalk in a position to succeed was ultimately its undoing.”

PeckSheild, a blockchain security analysis firm attempted to alert Beanstalk Farms of the breach via a Tweet, but it was too late. The exploiter had already taken $80 million in Ether (ETH) and Beans (BEAN).

Uniswap and the open-source liquidity protocol Aave. According to PeckShield, the hacker used Tornado Cash, which enables privacy in cryptocurrency transactions by concealing the link between a crypto address and destination.

Beanstalk said it temporarily disabled its protocol governance and paused Beanstalk while it worked on addressing the DeFi exploit.

“Approximately $76 million was stolen from the protocol’s liquidity pools.
The team has since burned the remaining Beans in the exploiter contract,” said Beanstalk about the actions it took following the attack.

The company says it is working on a safer version of Beanstalk, and on Sunday asked users to help: “As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via [centralized exchanges].

Defi project beanstalk loses million attack2

On Sunday, a hacker stole cryptocurrencies valued at $182 million from the decentralized finance (DeFi) project Beanstalk Farms, effectively becoming the fourth-largest decentralized finance (DeFi) hack in history.

The flash attack drained $182 million in Ethereum, BEAN stablecoin, and other cryptocurrencies. “The perpetrator used a flash loan to exploit the protocol’s governance mechanism and send the funds to a wallet they controlled,” said a Beanstalk statement in the aftermath of the hack.

The hack came to light a mere two days after the company said it had locked over $150 million in assets on its protocol.

However, the hacker only took home a net profit of approximately $80 million, according to blockchain analytics firm PeckShield, due to the fact that he needed funds to perform the attack itself.

Defi project beanstalk loses million attacker

The attack on Beanstalk took advantage of a lack of a resistant measure to stop the manipulation of governance via Stalk flash loans, which was the point of failure that made the attack successful.

“The core flaw that led to the exploit manifesting is that the two new LP assets [BEAN3CRV-f and BEANLUSD-f] introduced for the project’s Silo system could be created via a flash-loan (as they represented LP units) and their Bean-Denominated-Value (BDV) calculation remained unaffected by the flash-loan in contrast to the Uniswap LP BDV calculator”

What happens now

Beanstalk hasn’t shared its plans moving forward, so reimbursing the investors remains an uncertain action.

“We believe there is a need to educate and inform non-technical market participants about the status, scope and limitations of technical audits.

Defi project beanstalk loses million attacks

In the case of the Beanstalk hack, the Publius team admitted that they had not included any provision to mitigate the possibility of a flash loan attack, although presumably this was not apparent until the situation occurred.

A request for comment (sent to the Publius team through Discord) has not yet received a response as of press time.

Brian Pasfield, CTO at cryptocurrency lending platform Fringe Finance, said that decentralized governance structures (known as DAOs) could also create problems.

“DAO governance is currently trending in DeFi,” Pasfield said. “While it is a necessary step in the decentralization process, it should be done gradually and with all the possible risks carefully weighted.

Is this a risk we are willing to take or will there also be an Emergency DAO (like Curve’s) who can block potential attacks?

Later they added:

There’s absolutely ways to mitigate some of this concern in an elegant manner … As far as I can tell, the current rule-set does not account for flash loan governance attacks or rugpull tokens.

Replying to the comment, a Publius admin account wrote that such manipulation was “not a concern in any capacity until Stalk [governance token] is liquid.”

A concern about flash loans was also raised in an AMA-style session hosted by Publius on April 12th, a video of which is available on YouTube.

Around 6 minutes into the video, a participant asks via chat: “Can the team go into …

With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit.

Based on the duration of an Aave flash loan, the entire process took place in less than 13 seconds.

“We are seeing an increasing trend in flash loan attacks this year,” said CertiK CEO and co-founder Ronghui Gu.

“These attacks further emphasize the importance of a security audit, and also being educated about the pitfalls of security issues when writing Web3 code.”

When implemented properly, DeFi services benefit from all the security of blockchain, but their complexity can make code difficult to fully audit, making such projects an attractive target for hackers.

Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial,” the founders wrote.

It is not yet clear whether investors who lost funds will be reimbursed – or if so, how and to what extent. Beanstalk did not reply to an e-mail from Bloomberg seeking comment.

Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security.
Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

Flash loans have also turned out to be a soft target for exploits, as any lapse in a smart contract code lets an attacker manipulate the protocol and drain millions.

Sunday morning by blockchain analytics company PeckShield, which estimated the net profit for the hacker was around $80 million of the total funds stolen, minus some of the borrowed funds that were required to perform the attack.

Beanstalk admitted to the attack in a tweet shortly afterward, saying they were “investigating the attack and will make an announcement to the community as soon as possible.”

Beanstalk describes itself as a “decentralized credit based stablecoin protocol.” It operates a system where participants earn rewards by contributing funds to a central funding pool (called “the silo”) that is used to balance the value of one token (known as a “bean”) at close to $1.

Like many other DeFi projects, the creators of Beanstalk — a development team called Publius — included a governance mechanism where participants could vote collectively on changes to the code.

Aave, exchanged them for a 67 percent share in the Beanstalk project, voted through their own proposal to withdraw the entire treasury, and returned the borrowed funds — all in less than 13 seconds.

Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.

On February 12th, in a discussion room centered around a proposal to accept more kinds of cryptocurrency tokens in the “Silo” (Beanstalk’s central fund reserve), a user with the screenname Mr Mochi wrote:

Because of governance attacks, bribes and voter manipulation, governance doesn’t always go as it should.

As smart-contract auditor BlockSec explained, the proposal contained a malicious smart contract to be executed when the proposal passed, which would transfer the funds from the protocol into the thief’s control. The thief waited a day until they could deposit the flash-loaned tokens to gain the necessary voting power to execute the contract, obtained the funds, and repaid the loan.

Beanstalk did not immediately respond to The Register‘s inquiries. It’s feared the project is now dead because without any other financial backing, nor bailout on the horizon, and with all of its collateral gone, it’s game over, with Bean holders left out of pocket to the tune of thousands of dollars.

Leave a Reply

Your email address will not be published.