All Articles
All Articles

Beanstalk losses $181 million: the Governance Attack using a Flash Loan

Table of Contents

Beanstalk, a decentralized credit-based algorithmic stablecoin protocol that is built on Ethereum became a victim of flash loan which was further used to exploit a governance proposal and drain funds from the pools. Beanstalk incident places the 4th position on our crypto hacks database after Ronin, Poly Network, and Wormhole cases.

Preparation Stage

The attacker was initially funded through Synapse bridge at:

Since the $BEAN contract’s governance actions have 1 day of delay, the attacker prepared the governance proposal in advance. Proposal #18 takes the whole contract’s value, while Proposal #19 transfers $250k to the Ukraine donation address. BIP18 is the name of this Ukraine proposal (instead of BIP19)

BIP18 proposal transaction:

The Execution

The attacker’s contract that was used to perform a flash loan:

The transaction behind the flash loan:

The flash loan was used to get:

  • 350m DAI, 500m USDC and 150m USDT from Aave;
  • 32m BEAN from Uniswap;
  • 11.6M LUSD from SushiSwap.

These tokens were used to supplement the liquidity in Curve pools with BEAN for governance voting.

At first, the attacker minted 3CRV using DAI, USDC, and USDT. After, he generated the token BEAN3CRV-f using BEANS. This was followed by a deposit of 32 million $BEAN tokens and 25 million $LUSD into yet another contract to create a new token named BEAN3LUSD-f.

BEAN3CRV-f and BEAN3LUSD-f may be transformed straight into Seeds (a special type of asset called which acts like voting power in the system), providing the attacker with sufficient voting power. In reality, the attacker was able to manage more than 70% of the total number of Seeds thanks to the flash loan and $BEAN

The BIP18 triggers the execution of the designed code with the governance privilege to drain the pool fund:

During the attack transaction, 250,000 USDC was donated to Ukraine Crypto Donation address:

$181 million was drained from Beanstalk, but the attacker only kept $76M, which were swapped on Ether and deposited into Tornado Cash mixer in a bunch of transactions:

In the wake of the attack, Beanstalk Farms makes the following offer to the exploiter in the on-chain message:

“In the wake of yesterday’s attack, Beanstalk Farms makes the following offer to the Exploiter:
If you will return 90% of the withdrawn funds to the Beanstalk deployment wallet 0x21DE18B6A8f78eDe6D16C50A167f6B222DC08DF7, Beanstalk will treat the remaining 10% as a Whitehat bounty properly payable to you.
Thousands of individuals have been harmed and this is an opportunity to make good on yesterday’s events.”

The transaction with the message:

Flash loans aren’t a new danger to DeFi governance. One approach to avoid this is to postpone the implementation of on-chain governance initiatives.

Users should pay more attention to the new governance proposals in the future.

As always, stay safe, DYOR, and consider using our DeFi portfolio tracker + antivirus super app to keep your crypto bull run gains secure!

Check our other resources to stay safe and explore DeFi:

Best DeFi Yield Farms
Revoke Wallet Permissions Tool
What is TVL (Total Value Locked) in DeFi?
Upcoming Crypto Airdrops for 2023
Smart Contract Audit Services
Free Smart Contract Audit Scanner

For more De.Fi updates you can visit us at:

📱 **Telegram | 🐦[Twitter] (**

Latest Rekt stories:
Price Manipulation Attack: Elephant Money loses $22.2 million
Elephant Money, a stable coin platform that uses the TRUNK token became a victim of the flash loan attack, which…

Over $20m lost in early March: DeFi Rekt Stories
$20M Lost??? 13 REKT cases investigated: Early March recap!

376M Lost in February: REKT Investigation
At the end of this month, our specialists counted a whopping 22 Rekt cases with a total amount loss of more than…

Wormhole exploit: the second-largest DeFi hack ever
2nd place on the Rekt

More from De.Fi

How to Add Solana to MetaMask

With new crypto ecosystems popping up on a regular basis, the integration of different blockchain networks with popular wallets is a key narrative moving into the next crypto cycle. 

© De.Fi. All rights reserved.