The Ethereum-based Beanstalk Farms stablecoin protocol lost more than $181 million in cryptocurrency in the hack. The hacker pocketed about $76 million.
1/5
The new popular @beanstalkfarms protocol lost $181M+ in today’s exploit, but the attacker only gained $76M.
Let’s figure out what happened👇 pic.twitter.com/sRjzAF8stE
— Igor Igamberdiev (@FrankResearcher) April 17, 2022
According to The Block’s director of research, Igor Igamberdiev, the attacker completely emptied the protocol’s contract.
The attacker created a governance proposal under BIP-18, envisaging a donation to Ukraine of $250,000, which he forged before execution.
Through flash loans he obtained:
- 350 million DAI, 500 million USDC and 150 million USDT on Aave;
- 32 million BEAN on Uniswap;
- 11.6 million LUSD on SushiSwap.
The funds were used to add liquidity to Curve pools in BEAN to obtain governance votes — Stalk tokens.
Then he deployed and approved the malicious BIP-18, which moved all the assets from the protocol to an external wallet.
2/5
The main protocol contract has been completely emptied.
User funds have been withdrawn:
— 36M BEAN ($36M)
— 0.54 ETH-BEAN UNI-v2 LP tokens ($33M in ETH and $32M in BEAN)
— 79.2M BEAN3CRV-f Curve LP tokens ($79.2M?)
— 1.6M BEAN-LUSD Curve LP tokens ($1.6M?) pic.twitter.com/mdnr9rCDbm— Igor Igamberdiev (@FrankResearcher) April 17, 2022
After removing liquidity and repaying the loans, the attacker converted the remaining funds into 24,800 WETH (~$76 million). He laundered the cryptocurrency through the Tornado Cash mixer service. The $250,000 USDC went to a Ukraine donation address.
Omniscia, which had previously audited the Beanstalk protocol, said that the vulnerabilities used in the attack appeared after the code review. The firm noted that the ability to mint governance tokens via flash loans and the immediate execution of a proposal approved by a qualified majority had been introduced by BIP-12 and BIP-16 in recent months.
📌 Read our post-mortem analysis of the Beanstalk exploit. The code that was exploited was NOT AUDITED by the omniscia team https://t.co/Ck08mJBazJ pic.twitter.com/S6SO7YaVrw
— Omniscia (@Omniscia_sec) April 17, 2022
The biggest hacks of crypto projects so far this year remain the Wormhole and Ronin incidents, with losses of $319 million and $625 million respectively.