- After the attack, the market for Beanstalk’s BEAN stablecoin crashed
- Hacker took out a flash loan on lending platform Aave
- He passed a rapid-effect malicious governance proposal, draining all protocol funds into a private ETH wallet
Beanstalk Farms, an Ethereum-based stablecoin protocol, lost $182 million in a flash loan attack on Sunday.
Blockchain security firm PeckShield flagged the attack on Twitter, reporting the attacker had made away with crypto worth at least $80 million. However, Beanstalk has suffered much bigger losses. After the attack, the market for Beanstalk’s BEAN stablecoin crashed.
PeckShield tweeted:
The BeanstalkFarms was exploited in a flurry of txs leading to the gain of $80+M for the hacker (the protocol loss may be larger), including 24,830 ETH and 36M BEAN.
CoinDesk learned about the attack from a post by Beanstalk in its Discord server, summarizing the chain of events.
Attacker took out flash loan on Aave
According to the post, the hacker took out a flash loan on lending platform Aave and accumulated a large amount of STALK, Beanstalk’s native governance token. Then, they gained massive voting power, which they used to pass a rapid-effect malicious governance proposal, draining all protocol funds into a private Ethereum wallet.
The risks of flash loans
Flash loans use smart contracts to stop funds from changing hands unless certain requirements are met. The borrower has to pay back the loan before the end of the transaction. If they don’t, it is reversed by the smart contract, so it’s like the loan was never taken out in the first place.
These loans come with many risks, including where the borrower misleads the lender into thinking he paid the money back.
Project leads wrote in the attack summary:
Beanstalk did not use a flash loan resistant measure to determine the percent of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk.
Blockchain security firm Omnicia audited Beanstalk’s smart contracts, but this was done in advance of the introduction of the flash loan vulnerability, the company reported after the hack on Sunday.
Reimbursing users: no comment
In response to a question whether users would get their money back, Beanstalk declined to provide details. They commented more news would be coming in an upcoming event.
Attacker donates $250K to Ukrainian relief effort
PeckShield also reported the hacker seemed to have donate $250,000 of the stolen funds to a Ukrainian relief wallet:
The initial funds to launch the hack are withdrawn from SynapseProtocol and most of the result gains are deposited to TornadoCash. Currently 15,154 ETH still stays in the hacker’s account. Note the hacker donates 250k USDC to Ukraine Crypto Donation.