It was a not-so-happy Easter for fans of Beanstalk Farm as a Defi flash loan loophole allowed a hacker to find eggs worth millions of dollars and ended up wiping out the value for other Bean holders, leaving their supposed-to-be-stablecoins worth only pennies instead of $1.
During the Easter weekend, an anonymous attacker hacked Beanstalk Farm’s reserves, stealing $182 million worth of cryptocurrency. The hacker used a flash loan to gain enough voting rights to transfer the money away in a matter of seconds.
Blockchain analytics company PeckShield only noticed the attack on Sunday morning, estimating that the hacker gained a total profit of $80 million from the total $182 million, not including the loans taken to hack the system.
On Sunday afternoon, Beanstalk released a tweet confirming the attack, stating that “The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.”
Beanstalk suffered an exploit today.
The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
Beanstalk Farms is a DeFi project that manages the supply and demand of different cryptocurrencies. It functions through an Ethereum-based algorithmic stablecoin with which holders can earn rewards by participating in a common funding pool that balances the value of a single token (worth around $1 USD), known as a ‘Bean.’
Publius, the development team behind Beanstalk, designed a governing system in which participants can vote on code changes based on their voting rights proportionate to the number of tokens held.
The attack was made possible by the use of a flash loan, a DeFi product that allows the borrowing of money for a short amount of time — often minutes or even seconds. After receiving the loan, the hacker exchanged the sum for enough ‘Beans’ to gain a majority stake. He then automatically received a code to transfer the funds back to his wallet.
Crypto expert Stephen Diehl stated:
“It’s possible for someone to basically buy up all the shares in the organisation. In the normal corporate world this would be illegal because it’s embezzlement and self-dealing. However, with a DAO [decentralised autonomous organisation], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. It’s technically ‘legal’ in some sense, but it’s a very grey area.”
The lightning hostile takeover raises fresh questions about the unregulated nature of digital currencies and the lack of protections for investors.
Describing itself as a “decentralised credit based stablecoin protocol”, Beanstalk offers a cryptocurrency, called beans, intended to have a stable value of $1 a coin. It effectively operated as a bank, letting savers (“bean farmers”) make deposits (of “beans” into a “field”), and using their savings to ensure that the value of a single bean stayed as close to $1 as possible.
Others were encouraged to deposit cryptocurrencies such as ether into a “silo” to build up the stablecoin’s reserves in exchange for voting rights over the operation of the organization. On Sunday night, one such vote resulted in Beanstalk’s entire silo, worth around $182m at market rates, being transferred out of the organization.
A still-unidentified attacker had borrowed $80m in cryptocurrency and deposited it in the project’s silo, gaining enough voting rights in exchange to be able to pass any proposal instantly. With that power, they voted to transfer the contents of the treasury to themselves, then returned the voting rights, withdrew their money, and repaid the loan – all in a matter of seconds.
“It’s very like a hostile corporate raid funded by junk bonds – except it was over in 10 seconds,” said David Gerard, the author of Attack of the 50 Foot Blockchain. “In regulated markets, we have laws and regulations on how you can take over a company and drain it, but it’s not clear that this action was illegal. Even the project concedes that the raider acted according to the rules that Beanstalk set out.”
Stephen Diehl, a cryptocurrency expert, said the attack was in a grey area. “It’s possible for someone to basically buy up all the shares in the organization. In the normal corporate world this would be illegal because it’s embezzlement and self-dealing. However, with a DAO [decentralized autonomous organization], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. It’s technically ‘legal’ in some sense, but it’s a very grey area.”
“Honestly not sure what to type,” the project’s co-founders said on Sunday in a Discord message announcing the losses. “We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming.”
However, they disputed the claim that, because the attack exploited governance procedures, it was technically legal. “Earlier this morning, as soon as we learned of the attack, we contacted the FBI and informed the FBI’s internet crime center of the attack,” they wrote. “We intend to fully cooperate with the FBI to track down the perpetrators, and hopefully recover everything that was stolen.”
Immediately following the attack, the value of beans “broke the peg”, trading for significantly less than the $1 a token that was supposed to be the stable value. However, on Monday the stablecoin’s value had not hit zero and was around $0.12, since some traders were voluntarily buying beans, betting that some rescue package would arrive to rebuild the project’s treasury and restore the peg.