PeckShield, a blockchain security company that aims to improve the security, privacy and usability of the entire blockchain ecosystem, announced in a tweet that the decentralized finance (DeFi) protocol Beanstalk (BEAN) has fallen victim to a hacker.
According to current data – which is likely to change as the investigation progresses – the hacker is believed to have walked away with more than $82 million, while Beanstalk is believed to have suffered losses to the tune of $182 million. Beanstalk is a credit-oriented stablecoin protocol based on Ethereum (ETH).
Beanstalk suffered an exploit today.— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.
The founders of the project have since been communicating on Discord and claim to be in the investigation phase.
As for the company PeckShield, it explains that the hacker stole 80 million dollars by making them transit on Tornado Cash (mixer protocol). Specifically, he managed to steal 24,830 ETH, which is equivalent to approximately $75.8 million.
The @BeanstalkFarms protocol loss is ~$182m and the hacker nets $80m. The rest $100m goes to various protocols as fees to pay flashloan and swap. Should these protocols (incl. @AaveAave @SushiSwap @CurveFinance @Uniswap @BeanstalkFarms) return these fees back to @BeanstalkFarms?— PeckShield Inc. (@peckshield) April 18, 2022
How did the hacker manage to attack Beanstalk?
The BeanStalk (BEAN) protocol hack was carried out using a flash loan attack. A new type of collateral-free financing, this technique is increasingly making the news: it is sometimes used by malicious individuals on unsecured DeFi protocols.
The founders of Beanstalk summarized the process of the attack in a long message on Discord to the community:
In it, they explain that the hacker had previously contracted a flash loan on the Aave platform so that he was able to obtain a significant amount of native Beanstalk governance tokens. Using these tokens, a “malicious governance proposal drained all the protocol’s funds to a private Ethereum wallet.”
“Beanstalk did not use a flash-loan resistant metric to determine the % of Stalk that had voted in favor of the BIP. This is the fault that allowed the hacker to exploit Beanstalk.”Beanstalk founders, explanatory Discord message
Another surprising point is that the hacker first made a donation worth $250,000 to Ukraine.
Unfortunately for the users, the founders of Beanstalk do not give any answer or guarantee about the refund of the stolen funds. They even seem defeatist for the future of Beanstalk. However, more news should be announced and hasty conclusions cannot be drawn.