$182 Million Stolen In Seconds As Beanstalk Hacker Exploited Bad Code With Flash Loan
Beanstalk, a decentralized credit-based stablecoin protocol, was exploited for around $182 million over the weekend. The exploit marks the third multimillion-dollar DeFi hack so far in April – and comes barely a month since the $600 million-plus Ronin network was hacked.
Beanstalk exploited due to bad code, not hacked
The Beanstalk incident is technically not a hack, rather it was the exploiter who managed to take advantage of a flaw in the design of the project.
In their Discord server, the developers specified that the attacker first bought around 212,000 Beans, the protocol’s stablecoin. The attacker then dumped these 212,000 Beans into the silo, the Beanstalk DAO, and came up with two malicious governance proposals called BIP-18 and BIP-19.
Around 24 hours later, the striker took out a series of flash loans totaling $1 billion from Aave. They then used the loan to accumulate as many whitelisted Silo assets as possible by buying Beans and adding liquidity pool (LP) positions. Then they dumped all the assets in the silo and amassed a large amount of Beanstalk’s native governance token, Stalk.
Once the attacker accumulated a Stalk position of over 67%, he voted to adopt governance proposal BIP-18, which transferred all Beanstalk contract assets to his own wallet. The developers wrote:
“Beanstalk did not use a flash loan strength metric to determine the % of Stalk that voted for BIP. It was the fault that allowed the hacker to exploit Beanstalk.
Following the exploit, the developers revealed their identities and said they contacted the FBI to investigate the matter. “We intend to cooperate fully with the FBI in tracking down the perpetrators and hopefully recovering whatever was stolen,” they added.
Notably, there have been two other multi-million DeFi hacks so far in April. Earlier this month, DeFi lending protocol Inverse Finance (INV) was leveraged to over $15 million. And last week, Elephant Money, a decentralized “yield generation” protocol on BNB Chain, lost over $11 million in an attack.
While these hacks are significant, they are still nominal compared to the over $600 million Ronin hack that took place in March. At the time, Ronin, the sidechain of online mobile game based on the Axie Infinity blockchain, lost 173,600 ETH tokens and 25.5 million USD coins after hackers managed to compromise five of its nine nodes. validation.
As noted, DeFi hacks grew by over 1,330% last year after growing another 335% in 2020. This suggests that hackers have been focusing on DeFi platforms recently. This can largely be attributed to the fact that DeFi projects are open-source, meaning their code is publicly visible.
Join our Telegram group and never miss a breaking digital asset story.
What are flash loans? How do they work?
Flash loans are a relatively new form of collateral-free lending that has emerged within the decentralized finance (DeFi) ecosystem. What makes flash loans unique is that the loan is obtained and executed in the same transaction. In a way, it’s as if the loan never came.
Flash loans use smart contracts to ensure that the borrower repays the loan in the same transaction. If the borrower does not repay the loan instantly, the smart contract cancels the transaction.
While non-crypto natives may find it hard to understand the benefit of taking out a loan for a second (or part of a second), there are some use cases for these loans. On the one hand, traders can use flash loans to take advantage of arbitrage opportunities. And there are also opportunities to use flash loans and operate DeFi projects.
In the case of Beanstalk, the exploiter took out a flash loan from Aave, used it to accumulate large amounts of governance tokens, and embraced its malicious proposal. Notably, all of this happened simultaneously and within seconds.
Find out how, with Five Minute Finance.
A weekly newsletter that covers major trends in FinTech and Decentralized Finance.
You are subscribed.
You are well on your way to being aware.
Do you think DeFi could go mainstream if security issues persist? Let us know in the comments below.
About the Author
Ruholamin Haqshanas is an accomplished crypto and finance journalist with over two years of writing experience in the field. He has a solid understanding of various segments of the FinTech space, including the decentralized iteration of financial systems (DeFi) and the emerging non-fungible token (NFT) market. He is an active user of digital assets for remittances.