The decentralized finance industry has seen tremendous growth in recent years. Unfortunately, that increase in success has also given rise to more exploits and hacks, primarily through flash loans. Beanstalk Farms is the latest DeFi project to suffer from such an incident, resulting in a nearly $75 million theft.
Beanstalk Farms Gets Exploited
The decentralized nature of smart contracts can be both a blessing and a curse. It removes the need for intermediaries and centralized services and makes recourse very difficult. For example, if someone stole funds from a contract, there is no quick way of getting money back. Unfortunately, it is a significant downside when an incident occurs, which is still too common in decentralized finance.
The latest exploit to take place involves Beanstalk Farms. The project provides a decentralized credits-based stablecoin, dubbed $BEAN. That approach makes sense and has attracted a fair bit of liquidity from interested users. Sadly, the protocol also attracted attention from someone with nefarious intentions. Someone stole close to $75 million in ETH from the protocol through a flash loan attack.
Another "crypto hack made simple" thread for ya. @BeanstalkFarms, a DeFi protocol, was just exploited for about $75m worth of Ether (~25k ETH). Here's how the heist went down.
— smartcontracts 🔴✨ (@kelvinfichter) April 17, 2022
Users can take out a loan and repay it in one transaction through a flash loan. It is a convenient approach to addressing the risk of borrowers not repaying their loans, although it has proven a weapon in the wrong hands. The no-risk approach for lenders is appealing – a loan not repaid in the same transaction is never issued – and it provides access to tremendous liquidity opportunities.
Attackers can leverage the flash loan method to borrow tremendous money in one go, although such attacks require a fair bit of knowledge. In the Beanstalk Farms case, the attacker borrowed $1 billion in DAI, USDC, and USDT from the Aave protocol. The liquidity was used to buy a steep amount of $BEAN tokens. Additionally, they acquired $3CRV tokens from Curve Finance and $LUSD – another stablecoin – to generate derivative $BEAN tokens across multiple smart contracts.
A Meticulous $BEAN Manipulation Scheme
By acquiring these derivative tokens, the attacker was able to exert control over the $BEAN asset. The $BEAN token grants access to “Seeds”, which represent the voting power per user. However, derivative tokens can be converted directly into Seeds, enabling malicious actors to dominate the voting power and execute an “emergency governance action”. Such actions include moving funds – roughly $180 million – from the $BEAN contract to an external address.
With the proceeds from the $BEAN contract in hand, the culprit seemingly repaid the initial flash loan and pocketed roughly $75 million in profit. Granted, it took a lot of money to pull off the initial approach of borrowing $1 billion, but still. Even so, it is a meticulous plan, as the attacker also introduced – and approved – a governance proposal to introduce a one-day delay for governance actions for the $BEAN contract.
Interestingly, they also sent $250,000 in $BEAN tokens to a contract used for donations for victims of the war in Ukraine. Stolen funds are the last thing people need, and it is an issue that will need to be resolved shortly. Someone thought long and hard on how to exploit this particular DeFi project and cause a fair bit of chaos in their wake.
CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: [email protected] None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. No reviews should be taken at face value, always conduct your research before making financial commitments.