Money and Markets

Attackers swipe R1.2 billion from ethereum DeFi project Beanstalk in a flash-loan exploit

Business Insider US
coins
Bill Hinton/Getty Images
  • Cyber-attackers stole $80 million (R1.2 billion) from stablecoin protocol Beanstalk in a massive flash-loan swindle Sunday.
  • As a result, the credit-focused decentralised finance protocol lost its $182 million in total value locked.
  • "We lost all of our deposited assets in the Silo, which was substantial," the founders said.
  • For more stories, go to www.BusinessInsider.co.za.

Cyber-attackers targeted ethereum-based stablecoin project Beanstalk Farms and made away with roughly $80 million (around R1.2 billion) in tokens in one of the largest flash-loan exploits ever. 

As a result, the credit-focused decentralised finance protocol lost its $182 million in total value locked, meaning the overall value of crypto assets deposited. Its native token, BEAN, which is meant to be pegged to the dollar, fell more than 75% over the last day.

"We are not aware of the identity of the individuals who were involved," the founders said in the Beanstalk Discord channel. "Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial."

Meanwhile, the attackers have already moved the entire $80 million in tokens they swiped into Tornado Cash to hide the funds, according to blockchain research firm PeckShield and Bloomberg.

The security breach stemmed from an infiltration of the governance proposal system of the protocol, which opened the door to the attack. The exploiter asked for the protocol to send funds to Ukraine as a donation, but the proposal had a malicious rider attached to it, leading to the fund drain.  

This case was not a technical hack, per se, but an exploitation of a design flaw in the governance procedure, which a project spokesperson addressed on Monday, CoinTelegraph reported.

"It's unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing," the spokesperson said. 

In decentralised finance, so-called flash loans are made when users borrow massive sums of stablecoins without any collateral — something that isn't possible in traditional lending.

The lending and borrowing process is meant to happen within a single transaction on the blockchain instantaneously and is not uncommon among arbitrage traders. 

However, by manipulating the protocol or smart contract code, an attacker can exploit vulnerabilities in the transaction and drain funds.

The exploiters of Beanstalk did donate $250,000 of stablecoin USDC to Ukraine.

Get the best of our site emailed to you every weekday.

Go to the Business Insider front page for more stories.