Beanstalk DeFi platform loses $182 million in flash-loan attack

Beanstalk DeFi platform loses $182 million in flash-load attack

The decentralized, credit-based finance system Beanstalk disclosed on Sunday that it suffered a security breach that resulted in financial losses of $182 million, the attacker stealing $80 million in crypto assets.

As a result of this attack, trust in Beanstalk’s market has been compromised, and the value of its decentralized credit-based BEAN stablecoin has collapsed from a little over $1 on Sunday to $0.11 right now.

The drop in BEAN's value within a day
The drop in BEAN’s value within a day (CoinGecko)

The decentralized finance (DeFi) platform detailed on its Discord channel that the attacker took a flash loan on Aeve, a liquidity protocol, and used their voting power from holding a large amount of the Stalk native governance token to pass a malicious proposal.

A post-mortem analysis of the attack from smart contract auditors and developers at Omniscia explains that the hacker managed to steal the assets via a malicious proposal:

[…] Beanstalk Protocol experienced a flash-loan attack due to a flaw in its newly introduced Curve LP Silos that compromised the protocol’s governance mechanism, ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.

Essentially, the attacker allowed themselves to drain all of the protocol’s funds to a private Ethereum wallet in an instance, having the power to vote in favor of the action.

A flash loan allows users to borrow a large amount of stablecoins from other traders without offering a collateral (unsecured) and the process of approving a loan and returning it happens in a single transaction on the blockchain, within seconds.

Some hackers have identified vulnerabilities in various DeFi platforms that are exploitable within these short times, performing malicious actions right after the approval of a flash loan.

DeFi platforms defend against this menace using decentralized price oracles and other protection systems, but not all have established a robust defense.

The attack on Beanstalk took advantage of a lack of a resistant measure to stop the manipulation of governance via Stalk flash loans, which was the point of failure that made the attack successful.

“The core flaw that led to the exploit manifesting is that the two new LP assets [BEAN3CRV-f and BEANLUSD-f] introduced for the project’s Silo system could be created via a flash-loan (as they represented LP units) and their Bean-Denominated-Value (BDV) calculation remained unaffected by the flash-loan in contrast to the Uniswap LP BDV calculator”

What happens now 

Beanstalk hasn’t shared its plans moving forward, so reimbursing the investors remains an uncertain action.

“We believe there is a need to educate and inform non-technical market participants about the status, scope and limitations of technical audits. Our team is currently working on multiple initiatives aimed at demystifying audits,” reads the analysis.

The platform is still investigating the incident and has openly called the DeFi community and blockchain analytics experts to help them salvage what they can. At the same time, it has also invited the exploiter to negotiate.

Interestingly, PeckShield blockchain analytics reports that the hacker has donated $250,000 of the stolen amount to Ukraine.

The trace of the stolen crypto assets
The trace of the stolen crypto assets (PeckShield)

The analysts note that the hacker has also used the Tornado Cash coin mixing service hide their tracks.

DeFi platforms under fire

A Chainalysis report from last week indicates that DeFi platforms are the primary focus of crypto-heists in 2022, and the Beanstalk incident is yet another confirmation of this trend.

Typically, these hacks occur either via a security breach or an exploit in the code, so flash-loan attacks are likely to became less frequent.