Disclaimer: This article was updated with Gleb Zykov’s commentary on 19 April at 7:47 PM UTC.
Ethereum-based stablecoin protocol—Beanstalk—underwent a hack on Sunday, owing to which, more than $80 million worth of cryptocurrencies, including Ethereum and BEAN, were drained.
The attacker hit where it hurt the most
In a series of tweets, blockchain security and data analytics company PeckShield went on to illustrate that the hacker executed made use of flash loans to execute the attack.
Initially, the attacker took a flash loan on the lending platform Aave which enabled them to hoard a large amount of Beanstalk’s native governance token, Stalk. With the voting power granted by these Stalk tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet.
On its part, Beanstalk did not use a flash loan resistant measure to determine the percentage of Stalk that had voted in favor of the proposal. Essentially, the hacker took advantage of this vulnerability and exploited the protocol.
The Block’s Igor Igamberdiev went on to clarify that the protocol had lost more than $181 million in total, but the attacker only gained $76 million.
Blockchain security firm Omnicia audited Beanstalk’s smart contracts and detailed the process in its post-mortem report.
The aftermath
Consequentially, the native BEAN stablecoin had lost its $1 peg and had dipped down to almost $0 on Sunday. Despite a slight recovery, the stablecoin was valued at $0.18 at press time.
Additionally, the exploiters had transferred about $250k from the exploited funds to Ukraine’s Crypto Donation wallet address.
Beanstalk endorsers take a step back
A few people from the community, like Anishk Mitra [Vice President at Goldman Sachs], had been fervently endorsing BEAN over the past few days. In fact, they went to label their shilling as “financial advice” and kept posting threads that highlighted the bright and rosy side.
Mitra deleted his Twitter account right after the hack, but was quick to re-activate it and claim that he’s “not hiding.” Responding back to a person on Twitter, he claimed that the exploit had hit his wallet “hard” too and he was dealing with an exploit like this for the “first time.”
In an apology thread posted, Mitra went on to admit that he shouldn’t have labeled the project to be a “lucrative opportunity.” He explicitly said,
“… now I not only feel like a moron, but also guilty for doing so”
Signs were there all along though
Well, people from the space like Mudit Gupta—Polygon’s CISO—kept highlighting the loopholes of such projects over the past few months, but people from the space hardly paid heed to it.
In short, there were warnings all across the board, but due to the sheer ignorance of the same, the hacker was successful in executing the hack.
Expert weighs-in on the hack and broader DAO ecosystem
By holding up the mirror, hacks in general tend to point out towards ecosystem-centric fallacies and red flags. Outlining the same via a textual commentary to WatcherGuru, Gleb Zykov, the Co-Founder and CTO of DeFi security and analytics company HashEx, said,
“This attack shows that DAOs’ voting models are not transparent enough for the average user. The proposal was there for a day, but no one raised their voices about it. The transaction did not look suspicious in itself to a non-technical user, which undermines transparency of DAO voting systems.”
The HashEx exec further opined that monitoring solutions, that provide lucid information about DAO voting systems and their proposals, should be developed going forward. Only then would DAO governance end up becoming even more transparent.