Beanstalk Farms Loses $182 Million Through Governance Protocol Exploitation
Neither this post nor any other on cryptofal.com should be taken as financial advice. It is not.
On Easter Sunday, Beanstalk Farms, the decentralized finance (DeFi) project, was stripped of its $182 million total value locked (TVL) after a malicious actor exploited the project’s governance system and then drained the treasury through a manipulated smart contract of a donation request.
The hostile takeover occurred in three steps. The actor initially took out flash loans from a number of other DeFi protocols, borrowing enough funds to procure a 67% majority voting right of Beanstalk in order to approve any decisions unanimously. The actor then approved the $250k donation request with the manipulated code, which was submitted a day earlier, and drained the treasury fund or “silo.” The drained funds were used to immediately pay back the initial flash loans to the other DeFi platforms while the remaining $80 million was funneled into the crypto mixing service, Tornado Cash. Ironically, the original $250k with the manipulated code was donated as promised to Ukraine.
All of this irregular activity was first spotted by security firm Peckshield Inc. on Etherscan, who then used Twitter to inform the Beanstalk team of the malicious activity. Unfortunately, the hostile takeover was long over before the developers of Beanstalk could act. Due to the nature of flash loans, which must be repaid in one transaction block, the takeover occurred instantaneously.
This brings to light a number of concerning factors surrounding DeFi protocols, which have become increasingly popular as targets in major hacks and thefts. One of the prevailing issues in DeFi is the gray area of legality. The space is not governed by traditional finance rules and therefore lacks the protection of the same standard.
Many would perceive what happened to Beanstalk as a crime, however, cryptocurrency purists would see the malicious actors as guilty of merely exploiting the protocols behind the DeFi system. There are obvious design flaws in the crypto and blockchain spaces, but for those who operate under the assumption that “code is law” there has been no crime committed.