The decentralized, credit-based finance system Beanstalk announced on Sunday that it experienced a security breach resulting in financial losses of $182 million. The attacker ended up stealing crypto assets worth $80 million. This attack affected the confidence in Beanstalk’s market, and the value of its decentralized credit-based BEAN stablecoin has plummeted from a little over $1 on Sunday to $0.11 at the moment.
According to the decentralized finance (DeFi) platform’s Discord channel, the attacker acquired a flash loan on Aeve, a liquidity protocol, and misused their voting power from owning a significant quantity of the Stalk native governance token to approve a fraudulent proposal. A post-mortem analysis of the incident by Omniscia’s smart contract auditors and engineers explains that the hacker was able to take the assets using a malicious proposal.
“[…] Beanstalk Protocol experienced a flash-loan attack due to a flaw in its newly introduced Curve LP Silos that compromised the protocol’s governance mechanism, ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.”
Essentially, the attacker gave himself the right to vote in favor of the action by draining all of the protocol’s assets to a private Ethereum wallet instantly. A flash loan enables users to borrow a significant amount of stablecoins from other traders without putting up any collateral (unsecured). The process of authorizing and repaying the loan takes only seconds on the blockchain.
Some hackers have discovered weaknesses in several DeFi platforms that may be exploited in these short timeframes, allowing them to carry out nefarious operations shortly after a flash loan is approved. Decentralized pricing oracles and other security methods are used by DeFi platforms to combat this threat, although not all have created a strong resistance. The successful attack on Beanstalk took advantage of a lack of a resistive mechanism to stop the manipulation of governance via Stalk flash loans, which was the attack’s point of failure. Beanstalk hasn’t revealed its future ambitions, so reimbursing the investors is a risky proposition.
“We believe there is a need to educate and inform non-technical market participants about the status, scope and limitations of technical audits. Our team is currently working on multiple initiatives aimed at demystifying audits,” reads the analysis.
The platform is presently examining the event and has publicly requested assistance from the DeFi community and blockchain analytics specialists. At the same time, the exploiter has been asked to negotiate. The blockchain analytics firm PeckShield said that the hacker had given $250,000 of the stolen funds to Ukraine. According to the analysts, the hacker has also exploited the Tornado Cash coin mixing service to disguise their tracks.
A Chainalysis evaluation released last week revealed that DeFi platforms would be the top target of crypto-heists in 2022, and the Beanstalk incident is another example of this trend. These hacks usually occur due to a security breach or a coding weakness, so flash-loan attacks are expected to become less common.