A cybercriminal has stolen 76 million dollars (70.3 million euros at current exchange rates) from the credit-based decentralized stablecoin (DeFi) protocol, Beanstalk Farms, through a flash loan and in just 13 seconds.
The attack on Beanstalk Farms has been spotted by PeckShield on Twitter. Subsequently, the official Beanstalk Farms account has confirmed this, and has even explained that the attacker used “a quick loan to exploit the governance mechanism of the protocol and send the funds to a wallet he controlled.”
A flash loan allows users to borrow large amounts of cryptocurrency for very short periods of time and must be repaid before the transaction is complete. They are offered through decentralized finance (DeFi) protocols based on Ethereum, and their main purpose is to provide liquidity or take advantage of the arbitrariness of prices at a given time.
The operation that has affected Beanstalk Farms has been possible thanks to a flash loan obtained through the decentralized protocol Aave of nearly 1,000 million dollars (926.4 million euros) in assets, according to the analysis of the security firm of the CertiK blockchain, echoed by the specialized American media outlet The Verge.
Hi, @BeanstalkFarms, you may want to take a look: https://t.co/wyHe3ARZgU
— PeckShield Inc. (@peckshield) April 17, 2022
The funds loaned to the attacker were exchanged for ‘beans’, which are the rewards users receive for contributing assets to a large funding pool that is used to balance the value of a token, known as a ‘bean’.
The attack has taken advantage of an ‘exploit’ in the governance mechanism present in Beanstalk and many other DeFi projects. By it, participants can vote to change the code of the platform and receive voting rights in proportion to the value of the tokens they have.
Beanstalk suffered an exploit today. The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
The attacker has used the ‘beans’ won with his exchange to have 67 percent of the votes of Beanstalk Farms and thus approve the execution of the code that has transferred the assets worth 76 million dollars (70.3 million euros). ) to its own portfolio, as the company itself has acknowledged in a statement. In total, the operation has been carried out in 13 seconds.
At first, media such as The Verge have spoken of the fact that the attacker managed to steal 182 million dollars (168.4 million euros), which remained at 80 million net dollars (74.04 million euros) after returning the flash loan, according to PeckShield estimates.
Beanstalk’s new roadmap is to ensure the sustainability of the economic model and attract enough capital to recover, in addition to retaining its current users, explains the platform.
Beanstalk has tried to recover much of the stolen funds with an offer to the attacker posted on his Twitter profile. If you return 90 percent of the stolen funds to a platform wallet, the remaining 10 percent will be given to you as a ‘Whitehat’ reward, a deal offered by many organizations, websites, and developers to individuals who report bugs and vulnerabilities in your platform.
Many Beanstalk Farms users claim on the platform’s Discord server that they lost tens of thousands of dollars after the attack. Since then, the attacker has been moving the stolen funds through Tornado Cash, a privacy-focused transaction service that mixes deposits with each other to be withdrawn to a new address, according to The Verge.
If you will return 90% of the withdrawn funds to the Beanstalk Farms multi-sig wallet 0x21DE18B6A8f78eDe6D16C50A167f6B222DC08DF7, Beanstalk will treat the remaining 10% as a Whitehat bounty properly payable to you.
— Beanstalk Farms (@BeanstalkFarms) April 18, 2022