During the Easter weekend, an anonymous attacker hacked Beanstalk Farm’s reserves, stealing $182 million worth of cryptocurrency. The hacker used a flash loan to gain enough voting rights to transfer the money away in a matter of seconds.
Blockchain analytics company PeckShield only noticed the attack on Sunday morning, estimating that the hacker gained a total profit of $80 million from the total $182 million, not including the loans taken to hack the system.
On Sunday afternoon, Beanstalk released a tweet confirming the attack, stating that “The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.”
Beanstalk Farms is a DeFi project that manages the supply and demand of different cryptocurrencies. It functions through an Ethereum-based algorithmic stablecoin with which holders can earn rewards by participating in a common funding pool that balances the value of a single token (worth around $1 USD), known as a ‘Bean.’
Publius, the development team behind Beanstalk, designed a governing system in which participants can vote on code changes based on their voting rights proportionate to the number of tokens held.
The attack was made possible by the use of a flash loan, a DeFi product that allows the borrowing of money for a short amount of time — often minutes or even seconds. After receiving the loan, the hacker exchanged the sum for enough ‘Beans’ to gain a majority stake. He then automatically received a code to transfer the funds back to his wallet.
Crypto expert Stephen Diehl stated:
“It’s possible for someone to basically buy up all the shares in the organisation. In the normal corporate world this would be illegal because it’s embezzlement and self-dealing. However, with a DAO [decentralised autonomous organisation], it basically exists outside of any regulatory perimeter – so basically anything goes and the code dictates everything. It’s technically ‘legal’ in some sense, but it’s a very grey area.”