Beanstalk Farms Lost $182 Million Due To The Governance Mechanism

April 17, 2022

Summary #

On April 17, 2022, Beanstalk Farms, an Ethereum-based DeFi protocol that enables users to earn yield on their cryptocurrency deposits, fell victim to a flash loan attack. This attack resulted in a staggering loss of $182 million, including around $77 million in assets taken from liquidity pools unrelated to Beanstalk. The attacker managed to profit from the exploit, absconding with 24,840 ETH, equivalent to roughly $80 million. The remaining $106 million was returned via a flash loan to Aave, the lending platform. The attacker leveraged the governance mechanism of the protocol, utilizing a flash loan to acquire voting rights and subsequently transferring the project’s funds into their own wallet. To obfuscate their illicit activities, the stolen assets were converted to Ethereum and laundered through Tornado Cash, a privacy-focused tool. In a brazen move, the attacker even made a donation of $250,000 to the Ukrainian relief fund Ukraine Crypto Donation, showcasing their audacious handling of the stolen funds. As a consequence of this attack, the value of the BEAN stablecoin plummeted by approximately 88%, reaching a meager $0.12 per token.

Attackers #

The identities of the attackers involved in the Beanstalk Farms attack remain unknown. However, their address on the Ethereum blockchain is 0x1c5dCdd006EA78a7E4783f9e6021C32935a10fb4. This specific address has been labeled as the “Beanstalk Flashloan Exploiter,” indicating their involvement in the exploit.

Losses #

Breakdown of the lost $182 million:

36 million BEAN ($36 million).
$33 million in ETH and $32m in BEAN from ETH-BEAN UNI v2 LP tokens ($65 million).
79.2 million BEAN3CRV-f Curve LP tokens ($79.2 million).
1.6 million BEAN-LUSD Curve LP tokens ($1.6 million).

Timeline: #

April 16, 2022, 08:38 AM: The attacker deposited BEAN tokens into Beanstalk to create a malicious proposal called “InitBip18.” This proposal was utilized to transfer assets to the attacker and took 24 hours to process.
April 17, 2022, 12:24 PM: The exploiter initiated the attack to execute BIP18.
April 17, 2022, 3:24 PM: A total of 24,849.1 ETH (equivalent to $76,424,649.505) was transferred to Tornado cash, with a possibility that 9 ETH belonged to the attacker.
April 17, 2022, 6:41 PM: The attack was detected by PeckShield, a blockchain analytics company. They promptly shared a tweet exposing the malicious transaction.
April 17, 2022, 8:36 PM: Beanstalk Farms confirmed the attack on Twitter. The Beanstalk team took immediate action by temporarily disabling protocol governance and pausing Beanstalk’s operations.
April 19, 2022, 2:45 AM: Beanstalk offered a “whitehat bounty” of 10% of the stolen amount to the hacker if they returned 90% of the funds to Beanstalk Farms’ wallet.
August 6, 2022: On its one-year anniversary, Beanstalk resumed its protocol operations and relaunched on the Ethereum mainnet.

Security Failure Causes #

The hack occurred due to a security flaw in the governance design of the protocol. The attacker leveraged a flash loan acquired through Aave to borrow nearly $1 billion in cryptocurrency assets, granting them a 67% voting stake in Beanstalk. Exploiting this majority control, they authorized the execution of code that facilitated the transfer of assets to their personal wallet. This attack exploited the emergencyCommit() function, which enabled the immediate implementation of a proposal with a 2/3 majority vote, bypassing the protocol’s protective measures.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam