Beanstalk Farms Loses $182M in DeFi Governance Exploit

Loan-based stablecoin protocol Beanstalk Farms lost its entire $182 million in collateral in a security breach caused by two sinister governance proposals and a flash loan attack.

The issue for the protocol was sparked by suspicious governance proposals BIP-18 and BIP-19 issued on April 16 by the exploiter asking for the protocol to donate funds to Ukraine. However, these suggestions were linked to a malicious rider that ultimately caused the money sink from the protocol, according to the Smart Contract Auditor BlockSec.

This latest security breach of a decentralized finance (DeFi) protocol took place at 12:24 UTC. Back then, the exploiter raised $1 billion in flash loans from the AAVE (AAVE) protocol denominated in DAI (DAI), USD Coin (USDC), and Tether (USDT) stablecoins. They used these funds to amass enough wealth to take 67% leadership of the Protocol and approve their own proposals.

A flash loan must be executed and repaid within a single block and typically requires multiple smart contracts at once to complete. Flash loans have historically been used to perform hacks or security exploits of other protocols. Beanstalk Farms is a decentralized algorithmic stablecoin issuance platform on Ethereum.

This case was not technically a hack as the smart contracts and governance procedures worked as intended. Deficiencies in their design were exploited, which project spokesman “Publius” admitted at a meeting on April 18:

“It is unfortunate that the same governance process that enabled Beanstalk to thrive ended up being its undoing.”

Blockchain security analysis company PeckShield notified the Beanstalk team via Twitter at 12:41 UTC on April 17 that there might be a problem with the ominous statement: “Hi, @beanstalkFarms, you might want to take a look.”

At that point it was too late. The exploiter had already made off with around $80 million in ether (ETH) and beans (BEAN), while the entire protocol lost its $182 million in total locked value (TVL). PeckShield. BEAN is currently down about 83% and trading at $0.17 according to CoinGecko, but hit a low of $0.06 when the exploit dumped its tokens.

The exploiter traded BEAN for ETH and then sent the coins to Tornado Cash to cover their digital footprints. However, they also sent 250,000 USDC to Ukraine Crypto Donation Wallet.

At 23:49 UTC on April 17, Publius wrote that the project was likely doomed as there was no venture capital backing to offset losses, adding, “We’re screwed.”

In a team and community meeting on the Beanstalk Discord channel on April 18, Publius doped on the three people who developed the project. They are Benjamin Weintraub, Brendan Sanderson and Michael Montoya, who all attended the University of Chicago together and conceived Beanstalk Farms.

Montoya said the team has contacted the Federal Bureau of Investigation (FBI) Crime Center and will “fully cooperate with them to track down the perpetrators and recover funds.”

The protocol’s smart contracts have been paused and all governance privileges have been revoked by the team.

Related: The North Korean Lazarus Group is said to be behind the Ronin Bridge hack

The team didn’t respond when Cointelegraph asked if they think the FBI has legal resources to help them, but Publius believes this is definitely a theft that should be investigated.

Beanstalk’s community has largely supported the team through the difficult times, despite their own tremendous personal losses. However, community member Astrabean believes that the team should take more responsibility for the attack, rather than accepting what happened as an honest mistake that the project needs to move on from. He explained, “I would have wanted you, as leaders, to take responsibility for what happened.”

Community member “CharlieP” echoed these concerns about trust in the protocol. He asked the team, “Are you saying that you have no responsibility for this endeavor? If that’s the case, then who can we trust to make sure something like this doesn’t happen again?”

Publius replied that the project was just an open-source code experiment, not a business, and that neither he nor the team should be held accountable for what happened. He added,

“If you’re asking us to take responsibility, that’s really inappropriate.”