NEW YORK (BLOOMBERG) – Decentralised finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday (April 17), sending its price tumbling.
The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around US$182 million (S$248 million) and the attacker got away with around US$80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter.
The project’s native token Bean fell about 75 per cent from its US$1 peg against the dollar, pricing from CoinGecko showed.
The protocol’s creators disclosed their identities on Beanstalk’s Discord server, and said that they were not involved in the attack. “We are not aware of the identity of the individuals who were involved. Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial,” the founders wrote.
It is not yet clear whether investors who lost funds will be reimbursed – or if so, how and to what extent. Beanstalk did not reply to an e-mail from Bloomberg seeking comment.
Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security. Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.
Flash loans have also turned out to be a soft target for exploits, as any lapse in a smart contract code lets an attacker manipulate the protocol and drain millions. Last year Cream Finance and Alpha Homora lost US$130 million and US$37 million, respectively, in the same manner.
According to PeckShield, the hacker has already moved the entire US$80 million onto crypto asset mixing service Tornado Cash to hide their tracks. The perpetrator also donated US$250,000 in stablecoin USDC to Ukraine.