A cyber attacker drained around $182 million of cryptocurrency from Beanstalk Farms, a DeFi project intended to balance the supply and demand of various cryptocurrency assets.
In the cyberattack Beanstalk’s majority vote governance system, which is a major feature of several DeFi protocols, got exploited.
On Sunday morning, PeckShield, a blockchain analytics firm, discovered the assault, which it estimated resulted in a net profit of around $80 million for the hacker.
In a tweet shortly after the attack, Beanstalk acknowledged it, stating that they were “investigating the incident and would provide an update to the community as soon as possible.”
The “decentralized credit based stablecoin protocol” that Beanstalk refers to as a “neutral and automated financial services network.” A system in which participants earn rewards by contributing funds to a central funding pool (known as the silo) is used to balance the value of one token (known as a bean).
Beanstalk, like many other DeFi projects, includes a governance mechanism in which users can vote together on changes to the code.
They would then have voting rights based on the value of tokens they owned, opening them up to manipulation.
Another DeFi product called a “flash loan” allowed attackers to execute the attack because it enables users to borrow enormous amounts of cryptocurrency for very short durations (minutes or even seconds).
Flash loans are intended to provide liquidity or take advantage of price arbitrage possibilities, but they may also be used for less reputable aims.
According to CertiK research, the Beanstalk attacker utilized a flash loan obtained through the decentralized protocol Aave to borrow roughly $900 million in cryptocurrency assets and exchange them for enough beans to acquire a 67 percent voting position in the project.
They were able to approve the execution of code that transferred the assets to their personal wallet with this supermajority ownership. The flash loan was repaid instantly, netting the attacker an $80 million profit.
The duration of an Aave flash loan is 13 seconds, according to the time it takes to complete the process.
DeFi services, while they have the benefits of blockchain security, may require complex code and systems that might cause such projects to be an appealing target for hackers.
In the case of the Beanstalk hack, Publius personnel acknowledged that they had not provided any means to prevent a flash loan assault, however it was likely apparent until then.
As of press time, a request for comment (sent to the Publius crew through Discord) has yet to be answered.
The potential risks of decentralized management were also discussed, with examples including the tech giant IBM deciding to use its own private blockchain solution instead of a public one.
There is little that an investor in Beanstalk can do if their staked coins have been stolen. After the assault, the value of the BEAN stablecoin has dropped dramatically, necessitating a $1 peg and trading for around 14 cents on Monday afternoon.