Beanstalk Stablecoin protocol loses $182 million in governance exploit
Stablecoin protocol Beanstalk farms lost $182 million in collateral due to a malicious attack via its own governance proposal system
By Shashank Bhardwaj
Beanstalk Farms, the credit-based stablecoin protocol, was robbed of $182 million worth of collateral caused by a security breach involving two malicious governance proposals and a flash loan attack. Beanstalk Farms is built on the Ethereum network as a decentralised algorithmic stablecoin issuing platform.
The exploit happened due to two governance proposals, BIP-18 and BIP-19, which were issued to urge the protocol to donate funds to Ukraine on April 16, 2022. A malicious rider attached to these governance proposals led to Beanstalk losing all its collateral funds in the exploit. The security breach happened around 12:24 pm UTC [5:54 PM, IST].
The exploiter first took out $1 billion in flash loans from the AAVE protocol. The flash loan amount was denominated in Tether (USDT), USD Coin (USDC), and Dai (DAI). They then used these funds to attain a majority vote share of 67 percent in the platform’s governance, and vote for their own proposals. Flash loans have been used in the past to facilitate such hacks and exploits on other protocols. A Flash loan requires different smart contracts to compete with each other for the loan to be issued, and the transaction must be initiated and repaid within a single block.
Beanstalk Farms Twitter handle post said, “We’re engaging all efforts to try to move forward. As a decentralised project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiters’ ability to withdraw funds via CEXes. If the exploiter is open to discussion, we are as well.”
The exploit cannot be technically called a hack [but we are calling it a hack in the headline?] as there was no lapse in the governance procedures and smart contracts functioned as designed. There were flaws in the design that the attacker exploited. Beanstalk's spokesperson ‘Publius’ in a April 18, 2022, meeting said, “It’s unfortunate that the same governance procedure that put Beanstalk in a position to succeed, was ultimately its undoing.”
Peckshield data finds that the attacker ran off with $80 million in Ether and beans (BEAN) while the protocol lost $182 million in TVL (Total Value Locked). The exploiter swapped his BEAN tokens for Ether and then sent the coins to Tornado Cash to hide the digital tracks.
Also, 250,000 USDC were sent to the Ukraine Crypto Donation wallet. Publius confirmed after the flash loan attack that there were minimum chances for the project to bail out, given that it was left with no venture capital backing to recover the losses.
The team has also reached out to the Federal Bureau of Investigation (FBI) to conduct an investigation and track down the perpetrators. All the governance privileges and smart contracts on the project have been revoked. However, the Beanstalk community has been largely supportive of the team despite their personal losses.
The writer is the founder at yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash