On Sunday, Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited for USD 182 million. This exploit attack was initially flagged on Twitter by blockchain security firm PeckShield, which said the attacker made away with at least $80 million in crypto, although the losses suffered by the protocol were much larger.
The exploit took advantage of a flaw in Beanstalk’s oracle system to trigger a price manipulation attack that resulted in the protocol liquidating all of its assets. The attack began at around 12:00 UTC on Sunday, when the attacker started draining Beanstalk’s reserves by selling large amounts of the stablecoin BSK for Ethereum.
The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack. The Beanstalk token crashed over 80% from its USD 1 peg according to data from CoinGecko.
Beanstalk confirmed the attack in a tweet, saying that it is “working on a comprehensive post-mortem which will be made public in the coming days.” The protocol said that it is currently working with law enforcement to track down the attacker.
The Beanstalk team said that they are currently working on a fix for the flaw that was exploited.
Beanstalk is a decentralized credit-based stablecoin protocol”, Beanstalk offers a cryptocurrency, called beans, intended to have a stable value of US$1 a coin. The protocol is built on Ethereum and uses a decentralized network of lenders to stabilize the price. The protocol was launched in March 2020.
Beanstalk is effectively operated as a bank, letting savers (“bean farmers”) make deposits (of “beans” into a “field”), and using their savings to ensure that the value of a single bean stayed as close to $1 as possible.
The protocol was attacked on April 17th, with the attacker draining $182 million worth of beans from users’ fields. The beans were then converted into other assets, including Ethereum and USDC. The value of a single bean fell to as low as $0.015 as a result of the attack.
Beanstalk posted a summary of the attack on its Discord server. According to the posted summary, the attacker took out a flash loan on the lending platform Aave which was used to accumulate a huge amount of Beanstalk’s native governance token, Stalk. With the voting power granted by these Stalk tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet which the attacker-controlled.
According to tweets from PeckShield, the attacker laundered all stolen funds through a platform known as Tornado Cash, which enables users to send and receive crypto while obfuscating its source.
Beanstalk’s smart contracts were audited by the blockchain security firm Omnicia. However, the audit was completed before the introduction of the flash loan vulnerability, the firm said in a Sunday attack post-mortem. The attack is reminiscent of another high-profile hack that took place in February, in which an attacker drained $30 million from the Cream Finance DeFi protocol. That exploit also involved the use of a flash loan.
According to Peckshield, The attacker also appeared to donate $250,000 of the stolen funds to a Ukrainian relief wallet. It’s not yet clear whether the Beanstalk attackers will be able to cash out the rest of their ill-gotten payday
This is just the development in a string of high-profile decentralized finance (DeFi) exploits to occur in 2022. Last month, an attacker successfully manipulated the price of SushiSwap’s SUSHI token by dumping $13 million worth of cryptocurrency on the market.
The Beanstalk attack is notable for its size and sophistication.