Attackers have breached blockchain finance project Beanstalk Farms, leading to a loss of $182 million in cryptocurrency assets, blockchain analysis firm PeckShield Inc. reported via Twitter Sunday morning. Hackers have reportedly made off with at least $80 million.
The security breach resulted in credit-based “stablecoin” protocol project Beanstalk Farms losing all of its collateral in a record “flash loan” attack. The question of how and if victims will be reimbursed is up in the air.
“You May Want to Take a Look”
At around 13:00 UTC on April 17th, BeanStalk Farms was met with an alarming message from PeckShield that read: “Hi, @beanstalkFarms, you may want to take a look” Cointelegraph wrote.
“Our initial analysis shows the @BeanstalkFarms loss is ~$182m !” PeckShield exclaimed publicly via a Twitter post. A breakdown of the stolen assets is 79,238,241 in BEAN3CRV-f, 1,637,956 in BEANLUSD-F, 36,084,584 in BEAN, and 0.54 units of UNI-V2_WETH_BEAN. A total of 24,830 ETH (Ethereum) was taken, PeckShield wrote. “Just lost $150k in $bean ask me anything” Twitter user “ajpikul,” said.
On an interesting note, other details indicate that the hacker donated “250k to Ukraine Crypto Donation” PeckShield added in the Twitter thread.
Yet Another DeFi Exploit This Month
BeanStalk Farms is the second case of a multi-million dollar “flash loan” attack within a month, Coindesk said. The past few weeks have been packed with such DeFi exploits. Last month, hackers stole over $600 million from the Ronin network in a record DeFi exploit. A similar amount was taken from DeFi provider Poly Network in a notorious cryptocurrency incident last year.
DeFi, short for decentralized finance, is a popular trend comprising a collection of blockchain projects that largely rely on the Ethereum cryptocurrency. The goal is to transform traditional banking services into decentralized architectures that are community-managed.
Flash Loan Attack and Malicious Governance Proposals
In this case, the hacker leveraged a “flash loan” attack to pass malicious governance proposals BIP-18 and BIP-19 that drained all funds into a private Ethereum wallet, Coindesk added. The attacker took out a $1 billion loan in DAI, USDC, and USDT from the lending platform Aave, Forex exchange portal FXStreet said. The attacker quietly funneled the funds via the private cryptocurrency mixer platform Tornado Cash.
This allowed the attacker to amass enormous amounts of Beanstalk tokens while gaining the “voting power” necessary to pass malicious governance proposals.
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk,” Beanstalk project leads said.
Flash loans — quick smart contract loans that enable DeFi users to borrow crypto without putting down collateral — are something hackers like to exploit. Traders like to use flash loans to profit from arbitrage opportunities, while for attackers one of the benefits is that enormous amounts of tokens can be hoovered and malicious proposals can be passed in a matter of seconds, simultaneously, the Tokenist added.
The 2021 C.R.E.A.M. Finance flash loan exploit that resulted in $37.5 million lost is a good example of such scenarios that rocked the DeFi community in the past.
Beanstalk Market Collapsed
As a result, Beanstalk’s BEAN stablecoin collapsed, falling over 86%. A stablecoin is a “pegged” digital currency that relies on reserve assets like gold or the U.S. dollar, as opposed to “unpegged” ones like Bitcoin. This way, stablecoins are supposed to be less volatile than their unpegged counterparts.
Meanwhile, Beanstalk’s market capitalization is down to $12.6 million while traders are actively dumping BEAN and recovering funds on Uniswap, FXStreet wrote.
Beanstalk Declined Specific Questions
When asked about whether stolen funds will be reimbursed to users, Beanstalk remained silent, stating only that more information will be available at a “town hall” meeting (organization-wide business meeting).
“As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well,” Beanstalk told its followers via Twitter.
Beanstalk stated that they reached out to the FBI Crime Center and are working on tracking down the perpetrator and recovering stolen funds.
The outlook may not be very rosy, as “Proponents believe that there is a low likelihood of lost users’ funds being reinstated with zero financial backing,” FXStreet said.
For further reading on the subject, check out our full guide on which cryptocurrency scams to watch out for this year. For more on safe stablecoin alternatives, check out this guide to the best Bitcoin alternatives.