Beanstalk Farms, a credit-focused stablecoin protocol, suffered a massive security breach as a total of $182 million in collateral was moved by the attackers.
Two sinister governance proposals and a flash loan are the triggers for the latest security breach on the Beanstalk Farms. The two governance proposals, BIP-18 and BIP-19, were both issued by the suspected attacker on April 16, who requested the protocol to donate funds to Ukraine.
Unknown to the protocol team, the proposals come with a malicious rider designed to cause some defect and ultimately create the medium for the sinkhole of funds, as explained by a competent contract auditor, BlockSec.
Exploiter Withdraw Billions in Flash Loans
In the latest security breach, the exploiter withdrew $1 billion in flash loans from the AAVE platform, dominated by different stablecoins like DAI, USDC, and USDT. The funds are then utilized to accumulate more assets to control over 70% of the proposal governance to veto their proposals.
On the other hand, a flash loan needs to be executed and repaid using a single block and involves several smart contracts at the same time before it can be completed. Additionally, flash loans have been utilized to carry out hacks on other protocols.
For emphasis, Beanstalk Farms is a decentralized stablecoin issuing protocol hosted on the Ethereum network.
From the technical point of view, the latest incident is not considered a hack because the smart contracts and other governance procedures were functioning as expected. However, the flaws in their design were exploited to carry out the heist.
According to the Beanstalk Farms spokesperson, the same governance designed to make Beanstalk a top player turned out to be its undoing, as seen from the latest hacking.
The Exploit As it Happens
By the time the Beanstalk team was notified of the flaws by the blockchain analysis company, PeckShield, it was too late as the exploiter disappeared with $80 million worth of ETH and BEAN. The Beanstalk protocol lost all its $182 million in total landed value.
The exploiter proceeded to swap the BEAN token to ETH and cover its digital footprints by sending the funds to Tornado Cash. Meanwhile, 250,000 USDC has been donated to Ukraine through the Ukraine Crypto Donation Wallet.
The Beanstalk Farms team is not relenting in seeing that something is done to the exploiter as required by law. Hence, the Federal Bureau of Investigation (FBI) was notified of the incident. The FBI has acknowledged receipt of the complaint and has pledged to work together with the Beanstalk team to track down the offenders and recover the assets.
All smart contracts on the Beanstalk protocol have been paused pending when the issue will be addressed.
However, Cointelegraph has reached out to the team to get their view on the legality of the FBI helping them recover their losses, but the team believes that the incident is a theft that needs to be investigated.