On April 17th, Beanstalk Farms, an Ethereum-based Defi system, was hacked to the tune of $182 million. PeckShield, a blockchain security startup, was the first to notice the robbery and estimated that the attacker took at least $80 million in cryptocurrency, however, the protocol’s losses were significantly higher.
On its Discord server, Beanstalk provided a summary of the incident that took place.
The attacker used a flash loan on the lending site Aave to manipulate the smart contract and acquire a huge number of Beanstalk’s native governance token, Stalk, according to Beanstalk’s study. The attacker was able to rapidly approve a malicious governance proposal siphoning all protocol money into a private Ethereum wallet using the voting power afforded by these Stalk tokens.
The hack nearly wiped out the market for Beanstalk’s BEAN stable coin. According to CoinGecko, the coin was down 77 percent from its $1 peg at the time of writing.
According to a recent analysis by Beanstalk’s smart contracts auditor Omnicia, the protocol was exposed to a flash-loan attack as a result of a flaw in the protocol’s recently introduced Curve LP Silos, which compromised the protocol’s governance structure. The code used in the assault, however, “had not been examined” since it “was inserted after our first assessments of the system,” according to Omniscia. The site advised visitors that further information will be offered at a Sunday event, but did not clarify whether payments would be reimbursed to clients. According to Peckshield, the hacker appeared to transmit $250,000 of the stolen money to a Ukrainian humanitarian wallet.
In less than a month, Beanstalk’s attack is the second multi-million-dollar Defi exploit. The attack is the latest in a string of big decentralized finance [DeFi] hacks in recent weeks. According to US sources, the Ronin Blockchain of Axie Infinity was hacked for $625 million last month in a North Korean-linked attack. Deus Finance, a Defi derivatives platform, was previously covered by TronWeekly and suffered a $3 million loss as a result of an attack. Deus’ products were intentionally manipulated by attackers using flash loans.
A video on this topic was recently published by the YouTube channel Master of Defi, which I frequently watch.