Beanstalk cryptocurrency project robbed after hacker votes to send themself $182 million

Illustration by Alex Castro / The Verge

An attacker stole around $182 million of currency from a Defi project on Sunday. The majority vote governance system is a core feature of many DeFi protocols.

The net profit for the hacker was estimated by the company to be around 80 million of the total funds stolen, minus some of the borrowed funds that were required to perform the attack.

Beanstalk admitted to the attack in a statement that they would make an announcement to the community as soon as possible.

Beanstalk operates a system where participants earn rewards by contributing funds to a central funding pool and is described as a decentralized credit based stable coin protocol.

The governance mechanism that the Publius team used to vote on changes to the code was similar to many other DeFi projects. The project's undoing would be created by the fact that they obtained voting rights in proportion to the value of their token holdings.

The attack was made possible by a product called a flash loan, which allows users to borrow large amounts of currency for very short periods of time. It is possible to use flash loans for more sinister purposes but they are meant to be used for liquidity.

CertiK analysis shows that the attacker used a flash loan from Aave to borrow close to $1 billion in cryptocurrencies and exchange them for beans to gain a 67 percent voting stake in the project. They were able to approve the execution of code that transferred assets to their own wallet with this supermajority stake. The attacker repaid the flash loan and made an $80 million profit.

The entire process took less than 13 seconds based on the duration of the Aave flash loan.

CertiK CEO and co-founder Ronghui Gu said that they are seeing an increase in flash loan attacks this year.

Defi services are an attractive target for hackers due to their complexity and the fact that they can be difficult to fully audit. In the case of the Beanstalk hack, the Publius team admitted that they didn't include a provision to protect against a flash loan attack.

As of press time, the request for comment has not received a response.

Decentralized governance structures could create problems of their own, according to Brian Pasfield, the CTO at Fringe Finance.

Defi governance is currently moving towards AO governance. There are new points of failure that can be created by developers or DAO members.

There may be little recourse for investors who have lost their staked coins. In a message posted immediately after the hack, the founders wrote that the project would receive a bail out since it had not been developed with the backing of a venture capitalist.

Many users claim to have lost tens of thousands of dollars on the project's Discord server. Since the attack, the hacker has been moving funds through Tornado Cash, a privacy-focused mixer service that has become a go-to step in laundered stolen criptocurrency funds. It is unlikely that the money will be traced and returned.

The value of the BEAN stablecoin broke the $1 peg on Monday and is now worth around 14 cents.