During the Easter weekend, an anonymous attacker hacked Beanstalk Farm’s reserves and stole $182 million worth of cryptocurrency. The hacker used a flash loan to gain enough voting rights to transfer the money away in a matter of seconds.
Blockchain analytics company PeckShield only noticed the attack on Sunday morning, estimating that the hacker had a total profit of $80 million of the total $182 million, not considering the loans he took to hack the system.
By Sunday afternoon, Beanstalk released a tweet admitting the attack and stating that “The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.”
Beanstalk Farms is a DeFi project that manages the supply and demand of different cryptocurrencies. It functions through an Ethereum-based algorithmic stablecoin, where holders earn rewards by participating in a common funding pool that balances the value of one token (around $1), known as a ‘Bean.’
Publius, the developing team behind Beanstalk, designed a governing system where participants could vote on code changes by obtaining voting rights proportionate to the number of tokens they hold.
The attack was made possible by the use of a flash loan, a DeFi product that allows borrowing money for a short amount of time (minutes and even seconds). After receiving the loan, the hacker exchanged the loan for enough ‘Beans’ to gain a majority stake. He then automatically received a code to transfer the funds back to his wallet.
Crypto expert Stephen Diehl stated:
“It’s possible for someone to basically buy up all the shares in the organisation. In the normal corporate world this would be illegal because it’s embezzlement and self-dealing. However, with a DAO [decentralised autonomous organisation], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. It’s technically ‘legal’ in some sense, but it’s a very grey area.”
