Beanstalk Farms loses $182M in DeFi governance exploit

Credit-based stablecoin protocol Beanstalk Farms lost all of its $182 million collateral from a security breach caused by two sinister governance proposals and a flash loan attack.

The problem for the protocol was seeded by suspicious governance proposals BIP-18 and BIP-19 issued on April 16 by the exploiter that asked for the protocol to donate funds to Ukraine. However, those proposals had a malicious rider attached to them which ultimately created the sinkhole of funds from the protocol according to smart contract auditor BlockSec.

This latest security breach of a decentralized finance (DeFi) protocol took place at 12:24 pm UTC. At that time, the exploiter took out $1 billion in flash loans from the AAVE (AAVE) protocol denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They used these funds to accumulate enough assets to take over 67% of the protocols governance and approve their own proposals.

A flash loan must be executed and repaid within a single block and usually calls on several smart contracts at once to complete. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin issuing platform on Ethereum.

This case was technically not a hack as the smart contracts and governance procedures functioned as designed. Flaws in their design were exploited, which project spokesperson Publius acknowledged in a meeting on April 18th when he said:

Its unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.

Blockchain security analysis firm PeckShield notified the Beanstalk team via Twitter at 12:41pm UTC on April 17 that there might be an issue with the ominous statement: Hi, @beanstalkFarms, you may want to take a look.

At that point, it was too late. The exploiter had already made off with roughly $80 million in Ether (ETH) and Beans (BEAN) while the entire protocol lost its $182 million in total value locked (TVL) according to PeckShield. BEAN is currently down about 83% trading at $0.17 according to CoinGecko but troughed at $0.06 when the exploiter dumped their tokens.

The exploiter swapped BEAN for ETH and then sent the coins to Tornado Cash to cover their digital tracks. However, they also sent 250,000 USDC to the Ukraine Crypto Donation wallet.

At 11:49 pm UTC on April 17, Publius wrote that the project is likely lost since there is no venture capital backing to recoup losses, adding We are f**ked.

In a team and community meeting on the Beanstalk Discord channel on April 18, Publius doxxed the three individuals who developed the project. They are Benjamin Weintraub, Brendan Sanderson, and Michael Montoya, all of whom attended the University of Chicago together and conceived Beanstalk Farms.

Montoya said that the team had reached out to the Federal Bureau of Investigation (FBI) Crime Center and would fully cooperate with them to track down the perpetrators and recover funds.

The protocols smart contracts have been paused and all governance privileges have been revoked by the team.

Related: North Korean Lazarus Group allegedly behind Ronin Bridge hack

The team did not respond when Cointelegraph asked if they believe the FBI has any legal recourse to help them, but Publius believes this is definitely a theft that should be investigated.

Beanstalks community has been mostly supportive of the team in the trying time despite their own tremendous personal losses. However, community member Astrabean believes the team should be taking more responsibility for the attack rather than accepting what happened as an honest mistake that the project must move on from. He stated that I would have wanted you as leaders to take accountability for what happened.

Community member CharlieP echoed those concerns about trust in the protocol. He asked the team Are you saying you have no responsibility for this endeavor? If thats the case, who are we to trust that this is not going to happen again?

Publius responded that the project is just an open-source code experiment, not a business and that neither he nor the team should be held accountable for what happened. He added,

When you ask us to take responsibility, its really inappropriate.