Beanstalk Farms is the latest project to fall victim to a security breach losing all of its $182 million collateral in the process.
The credit-based stablecoin protocol was hit by a combination of two sinister governance proposals and a flash loan attack.
A flash loan must be executed and repaid within a single block and usually calls on several smart contracts at once to complete. Flash loans have been used in the past to perform hacks or security exploits of other protocols. Beanstalk Farms is based on Ethereum.
According to blockchain security firm PeckShield, the attacker potentially made away with 24,830 Ethereum (ETH) and 36m Bean (BEAN) in the breach.
Beanstalk confirm attack
Confirming the attack, Beanstalk Farms wrote that they are “engaging all efforts to try to move forward.”
“As a decentralized project, we are asking the DeFi [decentralized finance] community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well,” said a spokesman for Beanstalk Farms.
Bailout unlikely
Since the attack, BEAN is down by 78.3% and is trading at $0.21. Publius, a core member of the team on Discord, said that the incident could lead to the demise of the asset. “This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming.”
PeckShield chronicled the nature of the attack, pointing out that it began with the passing of BIP-18 and BIP-19 which sought to donate funds to war-torn Ukraine.
Both Peckshield and the protocol’s auditor BlockSec agree that the proposals contained malicious code designed to “drain the pool’s fund.”
According to Block Sec, the attacker waited for a day after the passing of the emergency period to invoke the emergencyCommit.
To bypass the two-third voting majority, the hacker deposited tokens into the Diamond contract that allowed him to borrow flash loans and deposit into the contract to get voting power.
One-of-a-kind attack
With almost 79% of the voting power, the attacker drained the funds in what has been described as a one-of-a-kind attack. On-chain data indicates that the attacker sent 250,000 USD Coin (USDC) to an address affiliated with Ukraine’s donation efforts.
“The same governance procedure that put Beanstalk in a position to succeed was ultimately its undoing,” said Publius.
The project’s team has since said they are not to be blamed for the attack. Their stance whipped up controversy in the community with members demanding they take responsibility for the incident.
“When you ask us to take responsibility, it’s really inappropriate,” said Publius. He argued that Beanstalk Farms was an open-source code project and was not run as a business so the team should be absolved of any wrongdoing.
Trusted
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
