The Ethereum-based stablecoin “Bean” from the Beanstalk Farms DeFi platform proved to be not so stable this week. An attacker exploited code from a flash loan agreement to siphon off approximately $182 worth, including 24,830 ETH and the rest in value, damage to the protocol itself.
Bean, according to the Beanstalk Farms whitepaper, “is a decentralized credit-based stablecoin” that (in theory) stabilizes its value using a complex mechanism involving on-chain price oracles and regular exchange of the token based on the currency. supply and demand, coupled with a decentralized credit facility. He describes Bean as a next-generation stablecoin or one that does not require collateral reserves from a real-world asset to maintain value around its peg point.
We are making every effort to try to move forward. As a decentralized project, we are asking the DeFi community and on-chain analysis experts to help us limit the exploiter’s ability to withdraw funds via CEX. If the exploiter is open to discussion, so are we. https://t.co/fwceVz6hbi
— Beanstalk Farms (@BeanstalkFarms) April 17, 2022
The attack took place on April 17, 2022 and saw the value of the Bean token drop by over 80% ($0.19 at press time). This is despite the apparent value of the $1 stablecoin token and the promise that contracts executed on the Beanstalk Farms protocol had been audited by blockchain security firm Omniscia.
In a review of the incident, Omniscia noted that it did not review the specific code exploited by the attacker, “because it was introduced beyond our initial system audits.” The company explained that when a user deposits funds into one of Beanstalk’s “silos”, they are credited with Stalk and Seed rewards (separate assets that are part of the system) and can then use the tokens to vote in the system. governance of the protocol.
The attacker was able to exploit a vulnerability in the code by tricking the price calculator mechanism into believing that a single voting power actually counts multiple times. This gave them super-majority voting power, ultimately allowing them to withdraw funds that should not have been granted to them.
The process followed by the attacker is complicated and likely involves detailed knowledge of the system to manipulate the various tokens, mechanisms, and protocols to produce the end result. Given this, disgruntled Beanstalk users took to Twitter wondering if this might be an inside job.
I got $250,000 on this shitshow
— KUNDALINI2020 (@kundalini2020) April 17, 2022
What exploits lately. I can’t trust defi projects anymore.
— Badpaz (@CS11357) April 17, 2022
feat is part of defi
— MetaMeditator (@metameditator) April 17, 2022
Beanstalk Farms has issued a public call for security experts to help the project investigate the exploit, so it’s unclear whether the “inside job” accusation is true or not. Meanwhile, reports have indicated that $80 million worth of digital assets have already passed through Tornado Cash, a coin mixer. Tornado Cash, which “anonymizes” digital assets by combining details of multiple transactions, has been used to launder funds from other Ethereum exploits in the past, such as the October 2020 Harvest Protocol exploit and a bug in Ethereum. Geth client who briefly forged the Ethereum chain in September 2021.
Although the exploit and loss occurred on a platform developed by a third party rather than the Ethereum protocol itself, Ethereum’s popularity over the years has made it popular for “finance” experiments. decentralized” (DeFi), which have become the main targets of hackers.
The quest to create a new decentralized and therefore “censorship-resistant” financial system has seen the emergence of several new models and systems. Despite promises of security, auditability, and accountability, few use processes that have been tested over a long period of time. Their complex networks, combinations of token assets and layers serving different purposes, and the ability to “mix” and trade ill-gotten gains are too tempting for bad actors.
DeFi platforms, for all their promise and like much activity in the wider blockchain world, serve primarily to stimulate speculative price trading rather than create real-world value. Users mainly focus on short-term gains. According to Bitcoin’s creator, Dr. Craig S. Wright, it’s an environment that creates no incentive to build long-term, stable businesses or to act responsibly.
To follow The CoinGeek Crypto Crime Cartel series, which plunges into the flow of groups – one of BitMEX for Binance, bitcoin.com, Blockstream, Metamorphose, Coinbase, Ripple,
Ethereum, FTX and Attached—who co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) market players.
New to Bitcoin? Discover CoinGeek bitcoin for beginners section, the ultimate resource guide to learn more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.