tl;dr Summary: Algorithmic stablecoin protocol Beanstalk was exploited for over $182 million on Sunday in a flash loan attack, collapsing the price of its native stablecoin, $BEAN. The hacker disguised the malicious code as a benevolent development proposal to raise funds for Ukraine, and went on to donate $250,000 USDC to Ukraine immediately after the exploit.
Beanstalk is a DeFi protocol that describes itself as ‘a decentralised algorithmic stablecoin protocol.’ The project was launched in September 2021, and had been growing in popularity since, amassing over $150 million in Total Value Locked (TVL) according to an official tweet just prior to Sunday’s exploit. The native stablecoin, $BEAN, was designed to be pegged to one dollar by a novel credit-based mechanism. After the hack, $BEAN fell dramatically from the one-dollar peg to a low of around six cents.
Blockchain security company Peckshield were first to alert the crypto community. The Etherscan transaction details were tweeted at 12:41 pm UTC on April 17, just over fifteen minutes after the exploit. The tweet tagged the official Beanstalk account, simply stating that they ‘might want to take a look.’ The Beanstalk team acknowledged the hack via Discord and their own Twitter platform around one hour later. It is estimated that the hacker made away with around $80 million in crypto, predominantly $ETH and $BEAN, with protocol losses totalling over $180 million!
The Beanstalk project had been audited by blockchain security firm Omnicia, however in the security firm’s post-mortem, they revealed that the section of exploited code was introduced after their audits were completed. Analysis shows that the attacker took multiple flash loans, which allowed them to amass huge amounts of Beanstalk’s native governance token, STALK. By holding >67% of total STALK supply, the attacker gained the majority vote on all protocol governance, which was used to emergency-approve their own malicious proposals.
It appears that the malicious code was initially introduced by the hacker one day prior to the exploit, submitted as governance proposals BIP-18 and BIP-19, under the benevolent guise of donating protocol funds to Ukraine. These same proposals contained the malicious code that allowed total drainage of Beanstalk’s funds, and were approved by the attacker at the time of exploit. Interestingly, $250,000 of USDC was still sent to the Ukraine Crypto Donation address by the hacker, and it is unclear what will be the fate of these funds.
The project leads took to the official Discord to address the issue, clarifying the protocol’s error in code;
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk.”
They went on to state that without venture capital backing, it was ‘highly unlikely’ that there would be a bail out, leaving investors with little hope of recovery of lost funds.
The hack is the latest in a string of DeFi exploits this year. A recent exploit of the Ronin network was touted as the largest crypto hack in history, with over $625 million lost. The attack has since been attributed to infamous North Korean hacking group ‘Lazarus,’ with the funds continuing to be actively laundered on a daily basis.
Whilst the origins of this exploit remain unclear, Beanstalk have stated they are “open to discussion” with the exploiter, hoping for an amicable return of funds. With the majority of funds already deposited into privacy-preserving protocol Tornado Cash, this may be somewhat optimistic. What we know for sure is that public trust in the security of DeFi protocols is beginning to falter, with larger and more frequent exploits striking fear into the hearts of even the most die-hard DeFi degens…
