They would then obtain voting rights in proportion to the value of tokens that they held, creating a vulnerability that would prove to be the project’s undoing.

The attack was made possible by another DeFi product called a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time (minutes or even seconds). Flash loans are meant to provide liquidity or take advantage of price arbitrage opportunities but can also be used for more nefarious purposes.

According to analysis from blockchain security firm CertiK, the Beanstalk attacker used a flash loan obtained through the decentralized protocol Aave to borrow close to $1 billion in cryptocurrency assets and exchanged these for enough beans to gain a 67 percent voting stake in the project.

Defi project beanstalk loses $182 million in flash loan attack

Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial,” the founders wrote.

It is not yet clear whether investors who lost funds will be reimbursed – or if so, how and to what extent. Beanstalk did not reply to an e-mail from Bloomberg seeking comment.

Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security.
Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

Flash loans have also turned out to be a soft target for exploits, as any lapse in a smart contract code lets an attacker manipulate the protocol and drain millions.

Developers and administrators should be aware of new points of failure that can be created by developers or DAO members intentionally or by accident.”

For investors in Beanstalk who have lost their staked coins, there may be little recourse. In a message posted immediately after the hack, the Beanstalk founders wrote that it was “highly unlikely” the project would receive a bailout since it had not been developed with VC backing, adding “we are fucked.”

In the project’s Discord server, many users claim to have lost tens of thousands of dollars of invested cryptocurrency.
Since the attack, the hacker has been moving funds through Tornado Cash, a privacy-focused mixer service that has become a go-to step in laundering stolen cryptocurrency funds.

Defi project beanstalk loses million attack2

The total loss to the Beanstalk protocol was said to be about $180 million.

We’re told the crook used what’s called a flash loan to drum up the needed funds to gain sufficient governance rights over Beanstalk: some $1 billion in crypto-coins from the Aave lending protocol were obtained, and used to get enough of Beanstalk’s governance tokens to approve a proposed movement of the collateral, before it was all paid back. Flash loans are awarded and paid back in a single blockchain transaction; it can take just seconds to get the money and return it.

“Hackers like to use the flash loan since they don’t even have to risk their own capital, and the wallets don’t get traced back to them, since they are using someone else’s funds,” Check Point security researchers noted in March.

Defi project beanstalk loses million attacker


Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial,” the founders wrote.

It is not yet clear whether investors who lost funds will be reimbursed – or if so, how and to what extent. Beanstalk did not reply to an e-mail from Bloomberg seeking comment.

Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security.
Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

Flash loans have also turned out to be a soft target for exploits, as any lapse in a smart contract code lets an attacker manipulate the protocol and drain millions.

Defi project beanstalk loses million attacks

Our team is currently working on multiple initiatives aimed at demystifying audits,” reads the analysis.

The platform is still investigating the incident and has openly called the DeFi community and blockchain analytics experts to help them salvage what they can. At the same time, it has also invited the exploiter to negotiate.

We’re engaging all efforts to try to move forward.
As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well.

In a postmortem examination of the Beanstalk fiasco by Omniscia’s smart-contract auditors, they explain how a flaw in Beanstalk’s design “compromised the protocol’s governance mechanism, ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.” In other words, there wasn’t sufficient built-in protection against this kind of snatch-and-run caper.

  • Thief milks CREAM Finance for $18m+ in cryptocurrency after spotting security bug
  • $600m in cryptocurrencies swiped from Poly Network
  • Triton malware still a threat to energy sector, FBI warns
  • OK, so you stole $600m-plus from us, how about you be our Chief Security Advisor, Poly Network asks thief

The crook first put forward a governance proposal requesting donations for Ukraine.

In response, the price of each Bean plummeted to near zero before recovering to about a dollar, as per its stablecoin design, and the Beanstalk team called on the cryptocurrency world to block the movement of its harvested funds.

“We’re engaging all efforts to try to move forward,” the Beanstalk folks tweeted on Sunday. “As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via centralized exchanges. If the exploiter is open to a discussion, we are as well.”

Meanwhile, the miscreant made off with what looked liked at least $80 million in Ethereum and Beans in the heist and laundered it via Tornado Cash, a crypto-coin mixing service, according to blockchain security firm PeckShield.

Beanstalk Farms, a decentralized finance (DeFi) platform, said it lost all of its $180 million collateral over the weekend.

Someone managed to game Beanstalk by investing enough funds to gain control of the system and promptly drained its holdings.

Beanstalk works by letting people buy beans, which are pegged at about $1 each, and earn interest. Crucially, the system was designed so that its participants can vote on changes to the platform, with the strength of their vote determined by how invested they are in the platform.

Over the weekend, someone took out a brief but massive loan to acquire enough voting rights to make the necessary governance changes to siphon off all of Beanstalk’s reserves.

DeFi project Beanstalk loses $250 Million in flash loan attack

NEW YORK (BLOOMBERG) – Decentralised finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday (April 17), sending its price tumbling.

The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around US$182 million (S$248 million) and the attacker got away with around US$80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter.

The project’s native token Bean fell about 75 per cent from its US$1 peg against the dollar, pricing from CoinGecko showed.

The protocol’s creators disclosed their identities on Beanstalk’s Discord server, and said that they were not involved in the attack. “We are not aware of the identity of the individuals who were involved.

On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.

The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.

In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.

The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time.

  • Beanstalk Farms lost $182 million because of a security breach.
  • Malicious protocols were issued requesting a donation to Ukraine.
  • PeckSheild attempted to alert Beanstalk Farms of the breach via a Tweet, but it was already too late.
  • Beanstalk Farms, a credit-based stablecoin protocol, lost $182 million because of a security breach. This amounts to all of the company’s collateral. The breach is suspected to be caused by two questionable governance protocols and a flash loan attack.

    The problem with the protocol started when governance protocols BIP-18 and BIP-19 were issued on April 16. This was when the exploiter asked the protocol to donate money to Ukraine.

    Unfortunately, the protocols had a malicious rider attached to them.

    Similar Posts:

    Leave a comment