The world of cryptocurrency promises enormous gains. However, it also has the potential for huge losses, as Beanstalk Farms has discovered. The business lost about $182 million worth of crypto to an attacker.
Beanstalk Farms is a decentralized finance or DeFi project that tries to balance demands and supplies for different cryptocurrency assets.
The attacker took advantage of Beanstalk’s governance-by-vote system, which many DeFi systems use.
PeckShield, a blockchain security firm, spotted the hack on Sunday. The heist reportedly netted the attacker about $80 million. Beanstalk confirmed the attack later using its official Twitter handle. It posted, “Beanstalk suffered an exploit today. The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.”
Beanstalk calls itself a decentralized credit-based stablecoin protocol that rewards users that contribute to a central pool called the silo. The fund from the collection is used to balance the value of one token, which is called a bean, at about $1.
Participants can vote on any changes to the code powering the DeFi project. The weight of their vote depends on the number of tokens they hold. This leaves room for a vulnerability that the attacker would eventually use.
The attack was possible thanks to another DeFi offering known as flash loan. This feature lets participants borrow a large number of cryptos for a short time, usually measured in minutes or seconds. These quick loans are supposed to allow users to leverage price fluctuations or provide liquidity, but they can be used for criminal purposes in the wrong hands.
As analyzed by Certik, another blockchain security company, the attacker borrowed almost $1 billion in cryptos using the Aave decentralized protocol. They then exchanged the cryptos for enough beans to be entitled to a 67 percent voting right in Beanstalk. With the voting majority obtained, the hacker was able to approve a code change that moved assets to their wallet. The last step of the process, which took less than 13 seconds, was to pay back the loan, with an $80 million profit to show for it.
Commenting on flash loan attacks, CertiK CEO and co-founder Ronghui Gu said, “We are seeing an increasing trend in flash loan attacks this year. These attacks further emphasize the importance of a security audit, and also being educated about the pitfalls of security issues when writing Web3 code.”
Publius, the team behind Beanstalk, admitted it had not made any provision to address possible flash loan attacks. It looks like the team did not envisage such a scenario.
For investors in Beanstalk, the lost stake may not be recoverable. The hacker has been busy moving the loot through Tornado Cash, a service that helps erase cryptos traces. The founders of the Beanstalk project have put out a message that they might not receive a bailout because it had no VC backing. Many participants have claimed to lose tens of thousands of dollars in investment.