A flaw in the operations of Beanstalk Farms, a stablecoin protocol, has allowed an unknown threat actor to siphon $182 million from the network, it has emerged.
A stablecoin is a cryptocurrency token that’s pegged to a regular currency or another stable asset, such as gold. As such, stablecoins have a stable value compared to more volatile cryptocurrencies, such as bitcoin.
Beanstalk Farms is a stablecoin protocol that operates on the Ethereum network, and issues the BEAN governance token, which gives owners voting power for any changes to the network itself.
Describing the incident in a Discord post, the company said the attacker discovered a vulnerability in its governance system, made possible with the help of a flash loan service. There was no malware, stolen passwords, or fake identities used in the attack.
Flash loans are like regular loans, the only difference being that they happen in a flash. These instant loans are made possible with the unique nature of blockchain technology. However, in this particular case, flash loans helped the attacker steal the money from the protocol. The threat actor used the flash loan service Aave to buy a large amount of BEAN.
Now in possession of a large proportion of BEAN, the attacker was able to pass a malicious governance proposal and siphon out all of the protocol’s funds into a private ETH wallet.
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP,” the Discord post reads. “This was the fault that allowed the hacker to exploit Beanstalk.”
A part of the funds ($250,000) was sent to a Ukrainian relief wallet, CoinDesk reported. It is currently unclear whether the company will reimburse the affected customers.
Crypto hacks are becoming more devastating by the day. Earlier this year, hundreds of millions of dollars in cryptocurrency was stolen from the Ronin Network, which provides the “blockchain bridge” that powers NFT game Axie Infinity.