The Beanstalk cryptocurrency has been stripped of reserves valued at more than $180m (£138m) in seconds after an attacker used borrowed money to snap up enough voting rights to transfer the money away.
Someone managed to game Beanstalk by investing enough funds to gain control of the system and promptly drained its holdings.
Beanstalk works by letting people buy beans, which are pegged at about $1 each, and earn interest. Crucially, the system was designed so that its participants can vote on changes to the platform, with the strength of their vote determined by how invested they are in the platform.
Over the weekend, somebody took out a short however large loan to amass enough selection rights to create the mandatory governance changes to siphon off all of Beanstalk’s reserves. In response, the price of each Bean plummeted to close to zero before recovering to about a dollar, as per its stablecoin design, and the Beanstalk team called on the cryptocurrency world to block the movement of its harvested funds.
Beanstalk said it lost all of its $180 million collateral over the weekend and confirmed the attack on Twitter later that day
“Beanstalk suffered an exploit today,” Beanstalk Farms reported on Twitter.
While Beanstalk did not provide further attack details, PeckShield attributed its success to the use of a “flashloan” exploit. A portion of the stolen assets was used to pay the Flashloan fee, according to PeckShield’s tweet.
In an email to SearchSecurity, PeckShield described flashloans as a “special form of loans, which involve the lending cryptocurrencies (from a pool) to a borrower without collaterals and require the immediate payment within the transaction.”
The crook first put forward a governance proposal requesting donations for Ukraine. As smart-contract auditor BlockSec explained, the proposal contained a malicious smart contract to be executed when the proposal passed, which would transfer the funds from the protocol into the thief’s control. The thief waited a day until they could deposit the flash-loaned tokens to gain the necessary voting power to execute the contract, obtained the funds, and repaid the loan.
Beanstalk Monday posted a statement to Twitter that included a direct offer to the attacker. In exchange for the return of 90% of the stolen funds, the company promised to “treat the remaining 10% as a Whitehat bounty properly payable to you.”
Beanstalk is not the first decentralized platform to issue a public plea. After suffering an attack last year, BadgerDAO not only provided a direct line of communication to the attacker but also offered compensation.
Though Beanstalk suffered a considerable loss, it had been obscurity close to the number drained in cryptocurrency from an attack against Axie Infinity last month, once a threat actor breached the Ronin bridge and scarf quite $600 million. In February, Wormhole saw a $320 million deficit from an attack that was additionally attributed to an “exploit.” Before that, Crypto.com lost $15 million once an attack.