Beanstalk Farms $76 Million Exploit and its Path Forward
Introduction
On April 18, 2022, Beanstalk Farms, a credit-based stablecoin protocol, reported suffering an exploit where the platform had $76 Million stolen from it. While not of the magnitude of some of the exploits we have seen, nonetheless, $76 Million is not 'chump change'.
Interestingly, Beanstalk Farms founders, including Benjamin Weintraub, Brendan Sanderson and Michael Montoya, stressed that this theft was not the result of a hack. Beanstalk attributes the exploit to a design flaw, previously unknown, within the platform's governance processes that lead to the theft. Specifically, "Beanstalk’s Discord explained that the attacker took a flash loan on Aave and amassed a vast portion of the project’s governance token (Stalk). This enabled them to pass a malicious governance protocol and send the funds to an Ethereum wallet" [Lyanchev, J. Beanstalk Farms Lost $180M in Flash Loan Attack, Hacker Donates 250K USDC to Ukraine. (Accessed April 20, 2022)].
For those interested, details concerning the mechanics of this exploit are set forth in a Tweet by Peckshield Inc. as follows:
The Path Forward for Beanstalk Farms
On April 18, on Beanstalk Farms Twitter feed, the following tweet was posted:
Under this offer, should the exploiter chose to return 90% of the stolen funds, the exploiters would then be entitled to keep the remaining 10% as a 'whitehat bounty' (which 'whitehat bounty' is usually an offer advanced by platforms as a reward for individuals coming forward and reporting security vulnerabilities). The deal calls for the exploiters to return the 90% to Beanstalk Farms’ multisignature wallet.
In a statement yesterday, Beanstalk Farms announced it has temporarily shut off its governance protocols and has shut down platform operations while it works on a strategy to relaunch.
As for moving forward:
Building on this, Beanstalk founder and spokesperson, Benjamin Weintraub, returned to a podcast yesterday beginning discussions concerning Beanstalk's path forward:
'Let’s start with what’s the problem. Beanstalk had something like $76 million stolen from it yesterday. Now, it needs to recoup as much of that money as possible. It doesn’t need to recoup all of that money.' Weintraub floated a number of possibilities to raise the required funds should the exploiter fail to return the funds, such as offering a newly created token or slashing its users’ token holdings, known as Pods, Stalk and Beans. Pods, Stalk and Beans are the ERC-20 tokens used to power the credit-based stablecoin protocol. However, Weintraub admits that the specific structure to raise the capital is still 'very much in the air,' but remained upbeat about the protocol’s survivability.
[Ng, F. Beanstalk Farms offers plea deal to perpetrators of $76M exploit. (Accessed April 20, 2022)].
Despite the apparent optimism of Mr. Weintraub, "since the attack, BEAN is down by 78.3% and is trading at $0.21. Publius, a core member of the team on Discord, said that the incident could lead to the demise of the asset. 'This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming." [CoinCu. Beanstalk Farms Suffers Exploit Leading to $182 Million Loss. (Accessed April 20, 2022)].
It should be noted that this exploit happened just as this platform was gaining traction. On April 15, 2022 the company tweeted:
But then on April 17, 2022:
Final Thoughts
When a platform's security becomes threatened, even the value of a fiat backed stablecoin may tumble (loss of peg, etc,). And clearly, flash-loan attacks, such as occurred herein, continue to plague the cryptocurrency industry (e.g. Pancake Bunny, CREME, etc.). These platforms must immediately increase the use of flash-loan-resistant measures so as to increase the voting percentage required for flash-loan governance, thereby thwarting attacks like what happened here. What is clear, without pointing blame, Beanstalk Farms failed in this regard.
If you take anything away from this article, let it be with these words of warning: in the cryptoverse, even stablecoins are not without risk!
Good luck.
Posted Using LeoFinance Beta
