All Articles
All Articles

Beanstalk losses $181 million: the Governance Attack using a Flash Loan

Table of Contents

Beanstalk, a decentralized credit-based algorithmic stablecoin protocol that is built on Ethereum became a victim of flash loan which was further used to exploit a governance proposal and drain funds from the pools. Beanstalk incident places the 4th position on our crypto hacks database after Ronin, Poly Network, and Wormhole cases.

Preparation Stage

The attacker was initially funded through Synapse bridge at:
https://etherscan.io/tx/0x1fb73ec5ed8c25b9ca7c9c3c465ab4bbca8554927094f939d96600271475e101

Since the $BEAN contract’s governance actions have 1 day of delay, the attacker prepared the governance proposal in advance. Proposal #18 takes the whole contract’s value, while Proposal #19 transfers $250k to the Ukraine donation address. BIP18 is the name of this Ukraine proposal (instead of BIP19)

BIP18 proposal transaction:
https://etherscan.io/tx/0x3cb358d40647e178ee5be25c2e16726b90ff2c17d34b64e013d8cf1c2c358967

The Execution

The attacker’s contract that was used to perform a flash loan:
https://etherscan.io/address/0x1c5dcdd006ea78a7e4783f9e6021c32935a10fb4

The transaction behind the flash loan:
https://etherscan.io/tx/0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7

The flash loan was used to get:

  • 350m DAI, 500m USDC and 150m USDT from Aave;
  • 32m BEAN from Uniswap;
  • 11.6M LUSD from SushiSwap.

These tokens were used to supplement the liquidity in Curve pools with BEAN for governance voting.

At first, the attacker minted 3CRV using DAI, USDC, and USDT. After, he generated the token BEAN3CRV-f using BEANS. This was followed by a deposit of 32 million $BEAN tokens and 25 million $LUSD into yet another contract to create a new token named BEAN3LUSD-f.

BEAN3CRV-f and BEAN3LUSD-f may be transformed straight into Seeds (a special type of asset called which acts like voting power in the system), providing the attacker with sufficient voting power. In reality, the attacker was able to manage more than 70% of the total number of Seeds thanks to the flash loan and $BEAN

The BIP18 triggers the execution of the designed code with the governance privilege to drain the pool fund:
https://etherscan.io/tx/0x68cdec0ac76454c3b0f7af0b8a3895db00adf6daaf3b50a99716858c4fa54c6f

During the attack transaction, 250,000 USDC was donated to Ukraine Crypto Donation address:

$181 million was drained from Beanstalk, but the attacker only kept $76M, which were swapped on Ether and deposited into Tornado Cash mixer in a bunch of transactions:

In the wake of the attack, Beanstalk Farms makes the following offer to the exploiter in the on-chain message:

“In the wake of yesterday’s attack, Beanstalk Farms makes the following offer to the Exploiter:
If you will return 90% of the withdrawn funds to the Beanstalk deployment wallet 0x21DE18B6A8f78eDe6D16C50A167f6B222DC08DF7, Beanstalk will treat the remaining 10% as a Whitehat bounty properly payable to you.
Thousands of individuals have been harmed and this is an opportunity to make good on yesterday’s events.”

The transaction with the message:
https://etherscan.io/tx/0x9ac6af47033c0b3bdd9464f568acc5c850e8fb3fbf89da73f6a96c683abc84f8

Flash loans aren’t a new danger to DeFi governance. One approach to avoid this is to postpone the implementation of on-chain governance initiatives.

Users should pay more attention to the new governance proposals in the future.

As always, stay safe, DYOR, and consider using our DeFi portfolio tracker + antivirus super app to keep your crypto bull run gains secure!

Check our other resources to stay safe and explore DeFi:

Best DeFi Yield Farms
Revoke Wallet Permissions Tool
What is TVL (Total Value Locked) in DeFi?
Upcoming Crypto Airdrops for 2023
Smart Contract Audit Services
Free Smart Contract Audit Scanner

For more De.Fi updates you can visit us at:

📱 **Telegram | 🐦[Twitter] (https://twitter.com/DeDotFi)**

Latest Rekt stories:
Price Manipulation Attack: Elephant Money loses $22.2 million
Elephant Money, a stable coin platform that uses the TRUNK token became a victim of the flash loan attack, which…blog.de.fi

Over $20m lost in early March: DeFi Rekt Stories
$20M Lost??? 13 REKT cases investigated: Early March recap!blog.de.fi

376M Lost in February: REKT Investigation
At the end of this month, our specialists counted a whopping 22 Rekt cases with a total amount loss of more than…blog.de.fi

Wormhole exploit: the second-largest DeFi hack ever
2nd place on the Rekt Databaseblog.de.fi

More from De.Fi

CoinGecko Alternative: The De.Fi Crypto Dashboard

Fundamental analysis is an essential part of life for anyone navigating the digital currency market. For years, CoinGecko has been a reputable place for this, known for its rich data and user-friendly interface. Until recently, it has been unrivaled in terms of convenience.

How to Track Multiple Crypto Wallet Addresses

Managing assets across multiple wallets and blockchains can quickly become overwhelming in the fast-evolving world of crypto. Whether you’re an investor, trader, or DeFi enthusiast, you likely hold assets across various chains, platforms, and wallets. This is where effective crypto wallet tracking becomes essential.

© De.Fi. All rights reserved.