Hackers Exploit A Stablecoin Protocol Using Flash Loans

Hackers have attacked Ethereum-built stablecoin project, beanstalk farms, which has resulted in a $182.5m loss for the protocol. The protocol confirmed the news on Monday morning and acknowledged that the incident took place on Sunday, April 17.

Beanstalk’s Report Of What Happened

Beanstalk has released a short report analyzing how the attackers carried out the operation. The analysis revealed that the hackers took a $1b flash loan on one of Beanstalk’s lending platforms (Aave). Also, the flash loan was domiciled in the following stablecoins, USDT, USDC, and DAI. Thus, the hackers amassed vast amounts of the protocol’s native token, STALK.

Once they accomplished that feat, the attackers earned the controlling votes in the project’s DAO. Then, they used their new voting power to execute harmful proposals in the project and drain the liquidity. One of the project’s team heads stated that “the hackers identified and exploited the loophole of Beanstalk’s non-usage of a flash loan resistant feature. Hence, they can’t determine the percentage of the native token used to summon the required votes to execute the malicious proposals.”

A Feature Responsible For Success And Failure 

However, the crypto security firm, Peckshield, claimed that the attackers couldn’t move all the stolen funds. Instead, they only moved $85M of the stolen funds through the popular anonymous crypto mixer, Tornado Cash. Funnily, the attackers supported Ukraine’s relief efforts by donating $250K from the cryptos they just stole.

While commenting on the incident, a top-level executive of the project said, “it is sad that the feature that made our project successful is the same one that later became its undoing.” But, the protocol’s report of the incident didn’t indicate whether there would be compensation for its users who lost their funds through the attack.

Sadly, the project’s stablecoin (BEAN) value dipped massively following the attack. The latest Coingecko data shows that the bean stablecoin currently trades at nearly 80% of its pegged $1 price. Before the hacking incident, Beanstalk’s overall evaluation was already approaching the $100M mark. 

The Numerous Weaknesses Of DeFi Platforms

Even though finance experts predict that DeFi projects will soon dominate the finance sector toppling the current traditional finance systems, DeFi projects have been the subject of numerous hacker attempts. Hackers always identify loopholes they can exploit in these DeFi platforms, and these attacks have resulted in the loss of several hundreds of millions of dollars from these projects. There is hardly any month when there won’t be at least one reported case of a DeFi hack.

In March 2022, the Ronin network was hacked with about $650M carted away by the hackers. The popular play-to-earn crypto-related game, Axie Infinity, was built on this network. It remains to be seen whether the security team of these DeFi projects can find a means of making the protocol safe. Earlier in the month, Inverse Finance and Ola finance (two DeFi-related projects) reported the loss of nearly $20M and $4M, respectively, to hackers.