DeFi protocol Beanstalk Farms lost over $180 million to malicious players due to an exploit on April 17 that allowed a hacker to pass a governance proposal.
The Ethereum-based stablecoin protocol’s exploit left several tokens missing and saw its U.S. dollar-pegged stablecoin drop below the $1 mark.
Beanstalk suffered an exploit today.
The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
Beans protocol exploited
Blockchain security company PeckShield first reported the hack on Twitter and said a hacker stole more than $80 million by exploiting Beanstalk Farms.
1/ The @BeanstalkFarms was exploited in a flurry of txs (https://t.co/PMsdP5dnJG and https://t.co/wyHe3ARZgU),
leading to the gain of $80+M for the hacker (The protocol loss may be larger), including 24,830 ETH and 36M BEAN.— PeckShield Inc. (@peckshield) April 17, 2022
The hacker used flash loans to obtain a large amount of Beanstalk STALK tokens, which gave them enough voting power to pass a governance proposal that drained all the funds on the protocol into the hacker’s wallet.
The hacker then paid back the flash loans from Aave, Uniswap V2, and Sushiswap and converted the funds to Wrapped ETH. The stolen funds were then sent through the Tornado Cash mixer. The hacker also donated some of his stolen crypto to Ukraine.
4/ The initial funds to launch the hack are withdrawn from @SynapseProtocol and most of the result gains are deposited to @TornadoCash. Currently 15,154 ETH still stays in the hacker’s account. Note the hacker donates 250k USDC to Ukraine Crypto Donation. pic.twitter.com/jBjUJ0JbGj
— PeckShield Inc. (@peckshield) April 17, 2022
Flash loan exploits are common
Beanstalk Farms’ exploit is not the first time attackers have exploited flash loans. According to the attack summary posted on the Beanstalk Discord server, the exploit happened because Beanstalk failed to:
“use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP.”
1/5
The new popular @beanstalkfarms protocol lost $181M+ in today’s exploit, but the attacker only gained $76M.
Let’s figure out what happened👇 pic.twitter.com/sRjzAF8stE
— Igor Igamberdiev (@FrankResearcher) April 17, 2022
The blockchain Security firm responsible for auditing Beanstalk smart contracts, Omnicia, said Beanstalk launched the code with the flash loan vulnerability after its audit. It added in a postmortem analysis of the attack that it had not yet audited the exploited code.
Given the prevalence of flash loans exploits in the DeFi space, it’s surprising that Beanstalk introduced the code without proper auditing.
In addition, there are concerns about whether the protocol will reimburse users. Beanstalk Farms said it will provide more updates at its next town hall meeting.
The hack comes only a few weeks after a Ronin bridge exploit lost over $600 million on Axie Infinity in March.
Meanwhile, Tornado Cash’s use by hackers has given rise to criticism for its lack of effort in preventing fraud. The ETH mixer recently said it is using the Chainanalysis Oracle contract to block addresses sanctioned by the Office of Foreign Assets Control (OFAC) from using its services.
Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp.
Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.https://t.co/tzZe7bVjZt— 🌪️ Tornado.cash 🌪️ (@TornadoCash) April 15, 2022