In what comes as another unfortunate but teachable moment to the decentralised finance (DeFi) community, Ethereum-based DeFi protocol Beanstalk Farms suffered a flash loan attack, draining the platform off $182 Million in digital assets.
The attack was pointed out to beanstalk farms via twitter by blockchain security analysis firm Peckshield, who also provided an estimate of the losses suffered by the protocol.
Our initial analysis shows the @BeanstalkFarms loss is ~$182m ! Here is the breakdown of stolen assets: 79,238,241 BEAN3CRV-f, 1,637,956 BEANLUSD-f, 36,084,584 BEAN, and 0.54 UNI-V2_WETH_BEAN. https://t.co/8OzPn8F8ot
— PeckShield Inc. (@peckshield) April 17, 2022
Flash loans are essentially decentralised non-collateral form of borrowing. In conventional form of credit, not only does the borrower need to go through a thorough process to ascertain their ability to repay the loan, but also present assets as collateral, in case of failure to repay the loan. A flash loan circumvents this process, by employing what’s called “smart contracts”. Smart contracts are operations on a blockchain, essentially a code executing a sequence of transactions, which include the borrowing of the digital asset, the trade it is supposed to be used for, and the repayment of the asset(With a small fees to the DeFi protocol).
Smart contracts operate in an atomic fashion, meaning that if any of the steps of the transaction is not completed (Error in trade/Defaulting on loan), the entire transaction is essentially reversed, preventing any loss to the lender. It ensures that the entire transaction occurs instantaneously (In a flash, hence the term) or doesn’t occur at all.
A flash loan attack is a way in which malicious operators exploit the DeFi ecosystem. The attacker borrows from a DeFi Protocol, manipulates the value of the tokens involved in the trade of the smart contract, essentially making the platform believe the loan is repaid.
In the case of Beanstalk, the attacker used the protocol to borrow a massive amount of their native token, BEAN. This allowed the attacker to exploit a vulnerability of Beanstalk Farms, since a certain amount of BEAN coins grant the holder voting power on their platform.
The attacker, as reported by Peckshield, got away with $80 Million in cryptocurrency assets. With the attacker dumping the token onto the market, and the breakout of the news causing lack of confidence in the holders, the value of BEAN dipped by 86% from $1 to $0.14, hence causing a loss of $182 million to the platform. It was also reported that the attacker donated $250,000 to a Ukraine relief wallet.
The developing team revealed their identities on Beanstalk’s Discord server. The developers, namely Benjamin Weintraub, Brendan Sanderson and Michael Montoya, declined their involvement in the attack in a discord post.
” Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk,” the developers wrote in the post. “We are not aware of the identity of the individuals who were involved. Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial” they added.
Confirming the platforms shortcomings as a reason for the incident, spokesperson ‘Publius’, in a statement, said “It’s unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately it’s undoing”