Beanstalk, a decentralized credit-based stablecoin protocol that is built on the Ethereum network, suffered a security exploit this weekend. Blockchain security firm PeckShield reported that Beanstalk lost an estimated $182 million to the security breach.
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
Beanstalk Farms, the team behind the invention and running of the Beanstalk protocol, has confirmed the exploit. On their official Twitter handle, the team stated that the investigation into the attack is currently ongoing. The price of the $BEAN stablecoin has de-pegged from its $1 value to $0.19 at the time of writing.
Hackers Drain Beanstalk off of $182 Million
According to Peckshield, the attack was primarily executed because of a malicious Beanstalk Improvement Proposal (BIP-18) that was submitted and passed a day earlier. The proposal allowed for a crafted code execution that gave the hackers “governance privilege” to drain funds from the Beanstalk pool.
The hackers used flash-loaned funds to assist in the passage of the malicious proposal and used additional flash-loaned funds to execute the exploit. Hence, the hacker netted $80 million of the stolen funds with approximately $100 million spent on paying flashloan interest and swap fees to protocols such as Aave, Curve, Sushiswap, Uniswap.
Although the hackers showed some humanitarian feeling by donating $250k worth of USDC to the Ukrainian crypto donation addresses, they have continued to launder the rest of funds using Tornado Cash. Tornado Cash is a decentralized non-custodial protocol that allows private transactions and has proven helpful to hackers seeking to launder stolen funds.
Protocol Exploits Continue to Rise
Security breaches of decentralized protocols continue to increase at an alarming rate. This year alone, over $1 billion dollars have been lost to these exploits. The most prominent incidents as reported by Coinfomania include the over $600 million stolen from blockchain gaming network Ronin, and over $300 million drained from cross-chain bridge protocol Wormhole.
