Ethereum-based stablecoin “Bean,” from the Beanstalk Farms DeFi platform, proved not-so-stable this week. An attacker exploited code in a flash loan contract to siphon off around $182 in value—including 24,830 ETH and the rest in value damage to the protocol itself.
Bean, according to Beanstalk Farms’ white paper, “is a decentralized credit-based stablecoin” that (in theory) stabilizes its value by using a complex mechanism involving on-chain price oracles and regular trading of the token according to supply and demand, coupled with a decentralized credit facility. It describes Bean as a next-generation stablecoin or one that doesn’t require collateral reserves of a real-world asset to maintain a value around the point of its peg.
We’re engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter's ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
The attack occurred on April 17, 2022, and saw the value of the Bean token drop over 80% ($0.19 at press time). This was despite the stablecoin token’s ostensible value “peg” to $1, and a promise that contracts running on the Beanstalk Farms protocol had been audited by blockchain security firm Omniscia.
In a review of the incident, Omniscia noted it had not examined the specific code the attacker exploited, “as it was introduced beyond our initial audits of the system.” The company explained that when a user deposits funds in one of Beanstalk’s “silos,” they are credited with Stalk and Seed (separate assets forming part of the system) rewards and may then use the tokens to vote in the protocol’s governance system.
The attacker was able to exploit a vulnerability in the code by tricking the price calculator mechanism into thinking a single amount of voting power actually counted multiple times. This gave them super-majority voting power, ultimately enabling them to withdraw funds that shouldn’t have been granted to them.
The process the attacker followed is complicated and likely involved a detailed knowledge of the system to manipulate the various tokens, mechanisms, and protocols into producing the end result. Given this, disgruntled Beanstalk users took to Twitter wondering if it might have been an inside job.
I have $250k in this shitshow
— KUNDALINI2020 (@kundalini2020) April 17, 2022
So many exploits lately. Can't trust defi projects anymore.
— Badpaz (@CS11357) April 17, 2022
exploit is part of defi
— MetaMeditator (@metameditator) April 17, 2022
Beanstalk Farms put out a public call for security experts to help the project investigate the exploit, so whether the “inside job” accusation is true or not is unknown. Meanwhile, reports said $80 million in digital assets had already passed through Tornado Cash, a coin mixer. Tornado Cash, which “anonymizes” digital assets by combining details from multiple transactions, has been used to launder funds gained from other Ethereum exploits in the past, such as the Harvest Protocol exploit of October 2020 and a Geth client bug that briefly forked the Ethereum chain in September 2021.
Although the exploit and loss occurred on a third-party-developed platform rather than the Ethereum protocol itself, Ethereum’s popularity over the years has made it popular for “decentralized finance” (DeFi) experiments, which have become primary targets for hackers.
The quest to create a new, decentralized, and thus “censorship resistant” financial system has seen multiple new models and systems emerge. Despite promises of security, auditability, and accountability, few use processes that have been tested over a long time. Their complex webs, combinations of token assets and layers serving different purposes, and the ability to “mix” and trade ill-gotten gains are too much of a temptation for bad actors.
DeFi platforms, for all their promises and, like much activity in the wider blockchain world, serve mainly to drive speculative price trading rather than create value in the real world. Users focus mainly on short-term gains. According to Bitcoin Creator Dr. Craig S. Wright, it’s an environment that creates no incentives to build long-term stable businesses or act responsibly.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—a from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.