Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Hackers stole $182 million from an Ethereum-based stablecoin protocol in what’s yet another attack on a crypto project.
On Sunday, cybersecurity firm PeckShield reported the attack on Beanstalk Farms, saying hackers stole more than $80 million for themselves, but the protocol’s losses appeared to be even higher. The company later said its initial analysis showed the losses amounted to around $182 million.
An hour after the hack was reported, Beanstalk confirmed it had been hacked in a tweet saying it had “suffered an exploit” and it was “investigating the attack.”
On Beanstalk’s official Discord channel, Publius, one of the developers of the project, commented on the hack, saying: Honestly not sure what to type. We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming.”
“Really a horrible day,” he added. “There are no funds left. […] they minted enough Beans to sell them and drain the liquidity on all pools.”
Because crypto can be so volatile, numerous stablecoin projects have popped up to provide even-keeled refuge for traders in the complex world of decentralized finance, or DeFi. Beanstalk did not seek to back its peg with cash reserves, but rather constructed financial incentives for protocol participants, who loan the platform tokens in return for a yield. The hack has caused the stablecoin Bean to break its $1 peg dramatically, and it currently trades at $.156 according to data from CoinGecko.
On Discord, the company shared more details of the hack. “An attacker was able to exploit Beanstalk and transfer all of the assets in the contract to their wallet,” the company wrote.
In short, the hackers did a “rogue update proposal” that sent all the funds to the hackers’ wallet, “that was passed with the power of a flash loan,” according to Tal Be’ery, a cybersecurity researcher and the chief technology officer of ZenGo. In other words, the hacker used a flash loan—a buzzy tool in DeFi that lets users take out an instant uncollateralized loan—and used those funds to buy enough voting power to push through a change that allowed them to steal from Beanstalk. Flash loans have been exploited in previous high-profile crypto hacks.
Do you have more information about the Beanstalk hack? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
“The problem is that their voting system was not well protected against flash-loan attacks,” Be’ery told Motherboard in an online chat. “In theory, you get to vote proportionally to your holdings, assuming the bigger stake you have, you are more concerned about the protocol and take more time to validate the improvement proposal. However, with Flash loans you have an “artificial” stake , because the loans need to be immediately repaid and thus do not represent a genuine interest in the protocol.”
Blockchain security firm Omniscia, which audited Beanstalk Farms’ code in the past, analyzed the attack in a blog post. According to the company, the hacker compromised the protocol’s governance mechanism taking advantage of a flaw in a new service they launched, “ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds.”
A Beanstalk spokesperson known as Publius did not immediately respond to a request for comment via email.
According to PeckShield, the hackers laundered all the stolen crypto through Tornado Cash, a well-known service that helps users mix and tumble crypto in order to obfuscate their funds’ movements; and they also donated $250,000 to the Ukraine Crypto Fund, a fund where people can donate cryptocurrency to Ukraine’s government.
This is the latest in a long string of hacks against crypto and decentralized finance (DeFi) projects. Earlier this month, hackers stole $300,000 from the blockchain-based game WonderHero. At the end of March, hackers stole more than $600 million from the play-to-earn game Axie Infinity. The US government attributed this attack to North Korean government hackers, adding the wallet they used to transfer the stolen funds to a sanctions list in an attempt to make it harder for the hackers to move or spend the stolen crypto.
In the last few months going back to last year, among several other hacks, hackers have stolen $600 million from Poly Network, $320 million from cross-chain bridge Wormhole, $30 million from popular exchange Crypto.com, around $4 million from users of Multichain, $140 million from a crypto gaming company, almost $120 million from visitors to the website of a DAO, and $150 million from a crypto exchange.