By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Hacker Steals $182 Million From Beanstalk in a Flash Loan Exploit

Quick take:

  • Beanstalk Farms loses over $182 million in a DeFi governance exploit.
  • The breach was caused by two governances and a flash loan attack.

Beanstalk Farms, a credit-based stablecoin platform, lost all of its $182 million collateral in a security breach triggered by two nefarious governance proposals and a flash loan assault.

Suspicious governance proposals BIP-18 and BIP-19, submitted on Saturday by the exploiter, requested that the protocol send funds to Ukraine and sowed the problem for the protocol. According to smart contract auditor BlockSec, some proposals had a malicious rider attached to them, resulting in a sinkhole of cash from the protocol.

Over $182 million in assets lost

At 12:24 p.m. UTC, a security compromise of the decentralized finance (DeFi) protocol was discovered. The stolen assets include 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. The exploiter borrowed $1 billion from the Aave (AAVE) protocol at the time, denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They utilized these funds to amass enough assets to seize control of 67 percent of the protocol's governance and vote on their own proposals.

This scenario's smart contracts and governance mechanisms worked as expected; therefore, it wasn't technically a hack. Flaws in their design were taken advantage of, as project spokesman "Publius" admitted at a meeting on Monday:

“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately it's undoing.”

PeckShield also made a tweet to Beanstalk warning them of the attack.

Despite their own personal losses, the Beanstalk community has been mainly supportive of the team throughout this challenging time. Community member Astrabean, on the other hand, feels the team should take greater responsibility for the assault rather than accepting it as an honest error from which the project must go on.

The information provided on DecentReviews does not constitute investment advice, financial advice, trading advice, or any other sort of advice. Do not treat any of the websites content as such. DecentReviews does not recommend that any cryptocurrency or blockchain asset should be bought, sold, or held by you. Conduct your own due diligence and consult your financial advisor before making any investment decisions.

Get free Web3 analysis and news in your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Platforms/tools Mentioned:

There are no products mentioned.
This page may contain affiliate links. Learn more