“Single move” appropriates tens of millions of dollars in cryptocurrency from hackers

Hackers used a “lightning loan” attack and succeeded. They stole up to $182 million worth of cryptocurrency. Of that, $80 million went through Tornado Cash, a cryptocurrency mixing protocol that allows for private transactions, according to the report. The Verge.

Beanstalk Farms is a decentralized finance (Defi) project that aims to balance the supply and demand of different crypto assets. Notably, the attack exploited Beanstalk’s majority vote governance system, a core feature of many Defi protocols.

Beanstalk describes itself as a “decentralized credit-based Stablecoin protocol”. They operate a system where participants earn rewards by contributing funds to the central endowment, which is used to balance the value of a token called BEAN at close to 1 USD.

Like many other Defi projects, the Publius development team created Beanstalk with a governance mechanism by which participants can collectively vote on changes to the BEAN token. They will then gain voting rights proportional to the value of the tokens they hold, creating a loophole that could indicate the project is incomplete.

The attack was carried out by another Defi product known as a “lightning loan”, which allows users to borrow large amounts of cryptocurrency in minutes or even seconds. “Blood loans” are intended to provide liquidity or take advantage of arbitrage opportunities, but can also be used for other purposes.

Attacker’s flash loan transaction to Beanstalk Farms. Photo: Beanstalk Farms

According to analysis from blockchain security firm CertiK, the Beanstalk hacker used a quick loan obtained through the Aave decentralized protocol to borrow nearly $1 billion in crypto assets and exchange them for enough BEAN tokens. , to gain 67% voting shares in the project.

With this large stake, hackers can approve code execution transferring assets to their own wallets. The hacker then immediately repaid the flash loan, earning a profit of $80 million. Based on the length of an Aave instant loan, the whole process happens in less than 13 seconds.

“Increasing trends in fast loan attacks this year. These attacks further emphasize the importance of security checks and also teach lessons about the pitfalls of the problems.” security when writing Web3 code,” said CertiK CEO and co-founder Ronghui Gu.

As for the investors in Beanstalk, they have already lost their deposit and there is practically little possibility of recourse. In an announcement posted shortly after the hack, the Beanstalk founders wrote that it was “very likely” that the project would receive a bailout.

In the project’s Discord server, many users claim to have lost tens of thousands of USD of invested crypto. Since the attack, the hackers have been transferring funds through Tornado Cash – a privacy-focused mixing service that has become a first step in “laundering stolen crypto funds”. With much of the stolen money now hidden, it can hardly be traced and returned to the owner.

After the attack, the value of Stablecoin BEAN plummeted, breaking the $1 peg and trading for only around 14 cents at the close of the last session.

The Beanstalk cryptocurrency project was stolen by hackers in an unexpected way. Photo: The Verge