Hack and the Beanstalk

A stablecoin protocol running on Ethereum was attacked for $80+ million yesterday. In the aftermath, Beanstalk Farm’s stablecoin, BEAN, has collapsed, losing 85% of its value since de-pegging.

• Peckshield, a respected blockchain security and analytics company, reported the exploit on Twitter yesterday resulting in the loss of $80 million.
• Beanstalk’s smart contracts had been audited by Omnicia, but the protocol introduced code involving the flash loan vulnerability after the audit’s completion.
• The Beanstalk Farms team has halted the network and turned governance off while they investigate.

How it went down:

To summarize, the attacker(s) took out a flash loan from Aave to purchase enough assets to achieve a 67% majority control of the Silo (Beanstalk’s DAO). They also submitted an improvement proposal which would transfer all the assets in the Beanstalk contract to their wallet. This improvement proposal passed because Beanstalk’s code allowed it to be “emergency committed” by having >67% of the vote in favor of it.

In an explanation posted on Beanstalk’s Discord, a team member of the project said “Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP (Beanstalk Improvement Proposal). This was the fault that allowed the hacker to exploit Beanstalk.”

In the end, Beanstalk reinforces what we should already know: attacks and exploits can and will happen.

Want to learn more about Flash Loans? Start here. Stay up to do with real-time developments by joining Beanstalk’s Discord.