Hacker Steals $182 Million From Beanstalk in a Flash Loan Exploit

Quick take:

• Beanstalk Farms loses over $182 million in a DeFi governance exploit.
• The breach was caused by two governances and a flash loan attack.

Beanstalk Farms, a credit-based stablecoin platform, lost all of its $182 million collateral in a security breach triggered by two nefarious governance proposals and a flash loan assault.

Suspicious governance proposals BIP-18 and BIP-19, submitted on Saturday by the exploiter, requested that the protocol send funds to Ukraine and sowed the problem for the protocol. According to smart contract auditor BlockSec, some proposals had a malicious rider attached to them, resulting in a sinkhole of cash from the protocol.

Over $182 million in assets lost

At 12:24 p.m. UTC, a security compromise of the decentralized finance (DeFi) protocol was discovered. The stolen assets include 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. The exploiter borrowed $1 billion from the Aave (AAVE) protocol at the time, denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They utilized these funds to amass enough assets to seize control of 67 percent of the protocol's governance and vote on their own proposals.

‍

This scenario's smart contracts and governance mechanisms worked as expected; therefore, it wasn't technically a hack. Flaws in their design were taken advantage of, as project spokesman "Publius" admitted at a meeting on Monday:

“It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately it's undoing.”

PeckShield also made a tweet to Beanstalk warning them of the attack.

Despite their own personal losses, the Beanstalk community has been mainly supportive of the team throughout this challenging time. Community member Astrabean, on the other hand, feels the team should take greater responsibility for the assault rather than accepting it as an honest error from which the project must go on.