Beanstalk Farms, a credit-based stablecoin protocol, confirmed that it lost all of its $182 million collateral from a security breach that was executed by two sinister governance proposals coupled with a flash loan attack.
The stablecoin protocol saw its governance proposal system exploited which enabled the malicious actors to extract all that money in collateral. This problem with the protocol was seeded by some suspicious governance proposals BIP-18 and BIP-19 that were issued on April 16 by the criminal who asked for the protocol to donate some funds to Ukraine.
But, these proposals had a malicious rider that was attached to them which eventually set up the sinkhole of funds from the protocol based on smart contract auditor BlockSec.
The latest security breach of decentralized finance (DeFi) protocol happened at 12:24 pm UTC. At the time, the hacker took out $1 billion in flash loans from the AAVE (AAVE) protocol denominated in USD Coin (USDC), DAI, (DAI), and Tether (USDT) stablecoins.
They used the funds to get adequate assets to take over 67% of the protocol’s governance and approve their proposals.
We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
A flash loan needs to be executed and repaid within one block and normally calls on multiple smart contracts simultaneously to complete. Flash loans have been utilized previously to execute hacks and security exploits of other protocols. Beanstalk Farms is described as a decentralized algorithmic stablecoin issuing platform that is powered by Ethereum.
In this context, the case was technically not a hack since the smart contracts and governance processes worked perfectly as designed. The issues and flaws in their design were exploited that project spokesperson “Publius” acknowledged in a meeting held on April 18 when he stated:
“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”
Blockchain security analysis company PeckShield notified the Beanstalk team through Twitter at 12:41 pm UTC on April 17 that there might be a problem with the ominous statement:
“Hi, @beanstalkFarms, you may want to take a look.”
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
At this point, it was too late. The criminal had already stolen around $80 million in Beans (BEAN) and Ether (ETH) while the whole protocol lost its $182 million in total value locked (TVL) based on data acquired from PeckShield. BEAN is now down around 80% trading at $0.19 based on CoinGecko but bottomed at $0.06 when the hacker dumped their tokens.
How The Beanstalk Farms Exploiter Executed The Plan
The exploiter exchanged BEAN for ETH and later sent the coins to Tornado Cash to cover their digital tracks. But, they also sent 250,000 USDC to the Ukraine Crypto Donation wallet. Notably, at 11:49 pm UTC on April 17, Publius published that the project might be lost because there is no venture capital backing to recoup these losses, stating “We are f**ked.”
In the official team and community meeting on the Beanstalk Discord channel that happened on April 18, Publius doxxed the three people who developed the project. They include Brendan Sanderson, Benjamin Weintraub, and Michael Montoya, all of who attended the University of Chicago together and launched Beanstalk Farms.
Montoya stated that the team had consulted the services of the Federal Bureau of Investigation (FBI) Crime Center and would:
“Fully cooperate with them to track down the perpetrators and recover funds.”
The protocol’s smart contracts have been suspended and all governance privileges have been revoked by the team. The team did not respond when asked if they think the FBI has any legal right to help them, but Publius thinks that it is a theft that needs to be investigated.
Buy Crypto NowIn that context, the Beanstalk community has been majorly supportive of the team in its trying times despite their massive personal losses. Nonetheless community member “Astrabean”, thinks that the team needs to take more responsibility for this attack instead of accepting what happened as an honest mistake that the project must recover and move on from. He said that:
“I would have wanted you as leaders to take accountability for what happened.”
On the other hand, community member “CharlieP” reiterated these worries about trust in the protocol. He asked the Beanstalk Farms team:
“Are you saying you have no responsibility for this endeavor? If that’s the case, who are we to trust that this is not going to happen again?”
Publius responded that the project is simply an open-source code experiment, not a business. He added that neither he nor the Beanstalk team should be held accountable for what happened. He stated:
“When you ask us to take responsibility, it’s really inappropriate.”