Beanstalk Farms, an Ethereum-based DeFi protocol suffered major exploitation to the tune of $182 million on 17th April. Blockchain security firm PeckShield was the first to identify the heist and reported that the attacker stole away at least $80 million in crypto, although the losses suffered by the protocol were much larger.
Beanstalk on its Discord server gave a brief outline of the attack that occurred. As per Beanstalk’s analysis, the attacker employed a flash loan on the lending platform Aave to manipulate the smart contract and amass a large amount of Beanstalk’s native governance token, Stalk.
With the voting power granted by these Stalk tokens, the attacker was able to quickly pass a sinister governance proposal siphoning all protocol funds into a private Ethereum wallet.
The attack caused the market for Beanstalk’s BEAN stablecoin to near annihilation. At the time of writing, the token was down by 77% from its $1 peg according to CoinGecko.
In a post-mortem report, Beanstalk’s smart contracts auditor Omnicia said that the protocol experienced a flash-loan attack due to a flaw in its newly introduced Curve LP Silos that compromised the protocol’s governance mechanism.
But stated that the code exploited in the attack “has not been audited” by Omniscia “as it was introduced beyond our initial audits of the system”. Without mentioning whether funds would be reimbursed to users, the platform assured users that more news will be coming in an event scheduled for Sunday.
In a bizarre twist, Peckshield noted that the hacker appeared to donate $250,000 of the stolen funds to a Ukrainian relief wallet.
Beanstalk’s attack is the second nine-figure DeFi exploit in a month
The incident is the latest in a string of major decentralized finance [DeFi] exploits to occur in the past few weeks. Last month, Axie Infinity’s Ronin Blockchain was exploited for $625 million in an attack that U.S. officials found to have North Korea links.
In a previous coverage by TronWeekly, DeFi derivatives platform Deus Finance suffered an attack leading to the loss of over $3 million. Attackers employed flash loans to artificially modify the prices on Deus’ offerings.