Attacker Drains $182M From Beanstalk Stablecoin Protocol

The flash-loan attack becomes the second nine-figure DeFi exploit in a month.

AccessTimeIconApr 17, 2022 at 6:30 p.m. UTC
Updated May 11, 2023 at 3:57 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited for $182 million Sunday.

The attack was flagged on Twitter by blockchain security firm PeckShield, which said the attacker made away with at least $80 million in crypto, although the losses suffered by the protocol were much larger.

The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack. At press time, the token was down 86% from its $1 peg, according to CoinGecko.

When reached for comment, Beanstalk pointed CoinDesk to a post in its Discord server summarizing how the attack occurred.

According to the summary, the attacker took out a flash loan on lending platform Aave, which was used to amass a large amount of Beanstalk’s native governance token, stalk. With the voting power granted by these stalk tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet.

According to PeckShield, the attacker laundered all stolen funds through Tornado Cash, which enables users to send and receive crypto while obfuscating its source.

Project leads wrote in the attack summary:

“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the [governance proposal]. This was the fault that allowed the hacker to exploit Beanstalk.”

Beanstalk’s smart contracts were audited by the blockchain security firm Omnicia. However, the audit was completed before the introduction of the flash loan vulnerability, the firm said in a Sunday post-mortem.

Beanstalk declined to provide details to CoinDesk regarding whether funds would be reimbursed to users, saying more news will be coming in a town hall event scheduled for Sunday.

The attacker appeared to donate $250,000 of the stolen funds to a Ukrainian relief wallet, according to PeckShield.

This is the latest in a string of major decentralized finance (DeFi) exploits to occur in the past few weeks. In March, Axie Infinity’s Ronin Blockchain was exploited for $625 million in an attack that U.S. officials have linked to North Korea.

UPDATE (April 18, 14:19 UTC): Added information about Tornado Cash.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.