Defi beanstalk loses loan

defi beanstalk loses loan

Two suspicious governance proposals, BIP-18 and BIP-19, were issued by the exploiter on April 16, 2022. Coupled with a security breach, these proposals maliciously drained BEAN’s reserves. The attacker took $1 billion in a flash loan from the Aave protocol in DAI, USDC and USDT.

The six-figure DeFi exploit has left the protocol with empty reserves. Proponents believe that there is a low likelihood of lost users’ funds being reinstated with zero financial backing.

Once the loan was approved, it took control of 67% of the protocol’s governance and started approving their own proposals.

The proposals asked Beanstalk to donate funds to Ukraine. However, it was accompanied by a malicious rider that ultimately drained funds from Beanstalk’s reserves.

  • An Ethereum-based stablecoin protocol, Beanstalk Farms suffered a $182 million exploit on April 17, 2022.
  • The attack was flagged by a blockchain security firm PeckShield and the stablecoin collapsed in response to the hack.
  • Beanstalk Farm’s token BEAN posted a 88% drop overnight, as holders dump the stablecoin post the exploit.
  • An Ethereum-based stablecoin protocol was drained of $182 million in a massive DeFi exploit. Beanstalk’s stablecoin BEAN collapsed in the aftermath of the hack, posting a 88% drop in price overnight.

    BEAN suffers six figure DeFi hack, loses 88% value

    Beanstalk Farms, a credit-based stablecoin, lost $182 million of its collateral in a massive security breach. The flash loan attack drained the stablecoin’s total reserve and triggered a collapse.

    Our team is currently working on multiple initiatives aimed at demystifying audits,” reads the analysis.

    The platform is still investigating the incident and has openly called the DeFi community and blockchain analytics experts to help them salvage what they can. At the same time, it has also invited the exploiter to negotiate.

    We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes.

    If the exploiter is open to a discussion, we are as well.

    Defi beanstalk loses loana

    Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial,” the founders wrote.

    It is not yet clear whether investors who lost funds will be reimbursed – or if so, how and to what extent. Beanstalk did not reply to an e-mail from Bloomberg seeking comment.

    Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security. Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

    Flash loans have also turned out to be a soft target for exploits, as any lapse in a smart contract code lets an attacker manipulate the protocol and drain millions.

    Defi beanstalk loses loans

    With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit.

    Based on the duration of an Aave flash loan, the entire process took place in less than 13 seconds.

    “We are seeing an increasing trend in flash loan attacks this year,” said CertiK CEO and co-founder Ronghui Gu. “These attacks further emphasize the importance of a security audit, and also being educated about the pitfalls of security issues when writing Web3 code.”

    When implemented properly, DeFi services benefit from all the security of blockchain, but their complexity can make code difficult to fully audit, making such projects an attractive target for hackers.

    Defi beanstalk loses loaner


    This way, stablecoins are supposed to be less volatile than their unpegged counterparts.

    Meanwhile, Beanstalk’s market capitalization is down to $12.6 million while traders are actively dumping BEAN and recovering funds on Uniswap, FXStreet wrote.

    Beanstalk Declined Specific Questions

    When asked about whether stolen funds will be reimbursed to users, Beanstalk remained silent, stating only that more information will be available at a “town hall” meeting (organization-wide business meeting).

    “As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes.

    In a postmortem examination of the Beanstalk fiasco by Omniscia’s smart-contract auditors, they explain how a flaw in Beanstalk’s design “compromised the protocol’s governance mechanism, ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.” In other words, there wasn’t sufficient built-in protection against this kind of snatch-and-run caper.

    • Thief milks CREAM Finance for $18m+ in cryptocurrency after spotting security bug
    • $600m in cryptocurrencies swiped from Poly Network
    • Triton malware still a threat to energy sector, FBI warns
    • OK, so you stole $600m-plus from us, how about you be our Chief Security Advisor, Poly Network asks thief

    The crook first put forward a governance proposal requesting donations for Ukraine.

    On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.

    The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.

    In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.

    The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time.

    The attacker quietly funneled the funds via the private cryptocurrency mixer platform Tornado Cash.

    This allowed the attacker to amass enormous amounts of Beanstalk tokens while gaining the “voting power” necessary to pass malicious governance proposals.

    “Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk,” Beanstalk project leads said.

    Flash loans — quick smart contract loans that enable DeFi users to borrow crypto without putting down collateral — are something hackers like to exploit.

    NEW YORK (BLOOMBERG) – Decentralised finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday (April 17), sending its price tumbling.

    The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around US$182 million (S$248 million) and the attacker got away with around US$80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter.

    The project’s native token Bean fell about 75 per cent from its US$1 peg against the dollar, pricing from CoinGecko showed.

    The protocol’s creators disclosed their identities on Beanstalk’s Discord server, and said that they were not involved in the attack. “We are not aware of the identity of the individuals who were involved.

    The BIP18 leads to the crafted code execution with the governance privilege to drain the pool fund. pic.twitter.com/qLYk7jhTCG

    — PeckShield Inc. (@peckshield) April 17, 2022

    • PeckShield also noted that the attacker withdrew the initial funds to start the hack from Synapse Protocol and deposited most of the stolen assets to TornadoCash.
    • Interestingly, it appears that the perpetrator donated 250,000 USDC to the Ukraine Crypto Donation wallet.
    • Beanstalk’s Discord post explained that the attacker took a flash loan on Aave and amassed a vast portion of the project’s governance token (Stalk).

    Leave a Reply

    Your email address will not be published.