$182M Stolen in Seconds as Beanstalk Hacker Exploited Bad Code with Flash Loan
Beanstalk, a decentralized credit-based stablecoin protocol, has been exploited for around $182 million over the weekend. The exploit marks the third multi-million DeFi hack so far in April—and comes barely a month since the $600M+ Ronin Network hack.
Beanstalk Exploited Due to Bad Code, Not Hacked
The Beanstalk incident is technically not a hack, rather the exploiter managed to take advantage of a flaw in the project’s design.
In their Discord server, developers detailed that the attacker first purchased approximately 212,000 Beans, the protocol’s stablecoin. The attacker then deposited those 212,000 Beans into the Silo, the Beanstalk DAO, and proposed two malicious governance proposals called BIP-18 and BIP-19.
Approximately 24 hours later, the attacker took out a series of flash loans totaling $1 billion from Aave. They then used the loan to accumulate as many whitelisted Silo assets as possible by buying Beans and adding liquidity pool (LP) positions. Next, they deposited all of the assets into the Silo and amassed a large amount of Beanstalk’s native governance token, Stalk.
Once the attacker accumulated a Stalk position of more than 67%, they voted to pass the BIP-18 governance proposal, which transferred all assets in the Beanstalk contract to their own wallet. The devs wrote:
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk.”
Following the exploit, the developers disclosed their identities and said they have contacted the FBI to investigate the matter. “We intend to fully cooperate with the FBI to track down the perpetrators, and hopefully recover everything that was stolen,” they added.
Notably, there have been two more multi-million DeFi hacks so far in April. Earlier this month DeFi lending protocol Inverse Finance (INV) was exploited for over $15 million. And last week, Elephant Money, a decentralized “yield farming” protocol on BNB Chain, lost more than $11 million in an attack.
While these hacks are significant, they are still nominal compared to Ronin’s more than $600 million hack that took place in March. At the time, Ronin, the sidechain for blockchain-based online mobile game Axie Infinity, lost 173,600 ETH tokens and 25.5 million USD coins after hackers managed to compromise five out of its nine validator nodes.
As reported, DeFi hacks increased by more than 1,330% last year after rising by another 335% in 2020. This suggests that hackers have recently shifted their focus toward DeFi platforms. This can be largely attributed to the fact that DeFi projects are open-source, meaning their code is publicly visible.
Join our Telegram group and never miss a breaking digital asset story.
What are Flash Loans? How Do They Work?
Flash loans are a relatively new form of uncollateralized lending that has emerged within the decentralized finance (DeFi) ecosystem. What makes flash loans unique is that the loan is obtained and fulfilled in the same transaction. In a sense, it is like the loan never happens.
Flash loans make use of smart contracts to ensure the borrower pays back the loan in the same transaction. If the borrower fails to pay back the loan instantly, the smart contract reverses the transaction.
While non-crypto natives might find it difficult to understand the benefit of taking a loan for a second (or a portion of a second), there are some use cases for these loans. For one, traders can use flash loans to profit from arbitrage opportunities. And there are also opportunities to use flash loans and exploit DeFi projects.
In the case of Beanstalk, the exploiter took a flash loan from Aave, used it to accumulate large amounts of governance tokens, and passed his malicious proposal. Notably, all of this happened simultaneously and in a matter of seconds.
Do you think DeFi could go mainstream if the security problems persist? Let us know in the comments below.