DeFi protocol Beanstalk Farms lost over $180 million to malicious players due to an exploit on April 17 that allowed a hacker to pass a governance proposal.
Šios EthereumPagrindu stablokinas protocol’s exploit left several tokens missing and saw its U.S. dollar-pegged stablecoin drop below the $1 mark.
Beanstalk šiandien patyrė išnaudojimą.
„Beanstalk Farms“ komanda tiria išpuolį ir kuo greičiau apie tai praneš bendruomenei.
– Beanstalk Farms (@BeanstalkFarms) Balandis 17, 2022
Beans protocol exploited
Blockchain apsaugos įmonė „PeckShield“ first reported the hack on Twitter and said a hacker stole more than $80 million by exploiting Beanstalk Farms.
1 / The @BeanstalkFarms was exploited in a flurry of txs (https://t.co/PMsdP5dnJG ir https://t.co/wyHe3ARZgU),
leading to the gain of $80+M for the hacker (The protocol loss may be larger), including 24,830 ETH and 36M BEAN.- „PeckShield Inc.“ (@peckshield) Balandis 17, 2022
The hacker used flash loans to obtain a large amount of Beanstalk STALK tokens, which gave them enough voting power to pass a governance proposal that drained all the funds on the protocol into the hacker’s wallet.
The hacker then paid back the flash loans from Aave, Neiškeisti V2, and „Sushiswap“ and converted the funds to Wrapped ETH. The stolen funds were then sent through the Tornado Cash mixer. The hacker also donated some of his stolen crypto to Ukraine.
4/ The initial funds to launch the hack are withdrawn from @SynapseProtocol ir didžioji dalis rezultato pelno pervedama į @TornadoCash. Currently 15,154 ETH still stays in the hacker’s account. Note the hacker donates 250k USDC to Ukraine Crypto Donation. pic.twitter.com/jBjUJ0JbGj
- „PeckShield Inc.“ (@peckshield) Balandis 17, 2022
Flash loan exploits are common
Beanstalk Farms’ exploit is not the first time attackers have exploited flash loans. According to the attack summary posted on the Beanstalk Discord server, the exploit happened because Beanstalk failed to:
“use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP.”
1/5
The new popular @beanstalkfarms protocol lost $181M+ in today’s exploit, but the attacker only gained $76M.
Let’s figure out what happened? pic.twitter.com/sRjzAF8stE
- Igoris Igamberdievas (@ FrankResearcher) Balandis 17, 2022
The blockchain Security firm responsible for auditing Beanstalk smart contracts, Omnicia, said Beanstalk launched the code with the flash loan vulnerability after its audit. It added in a postmortem analysis of the attack that it had not yet audited the exploited code.
Given the prevalence of flash loans exploits in the DeFi space, it’s surprising that Beanstalk introduced the code without proper auditing.
In addition, there are concerns about whether the protocol will reimburse users. Beanstalk Farms said it will provide more updates at its next town hall meeting.
The hack comes only a few weeks after a Ronin bridge exploit pasimetęs $600 million on Axie Infinity in March.
Meanwhile, Tornado Cash’s use by hackers has given rise to criticism for its lack of effort in preventing fraud. The ETH mixer recently said it is using the Chainanalysis Oracle contract to blokuoti addresses sanctioned by the Office of Foreign Assets Control (OFAC) from using its services.
„Tornado Cash“ naudojimas @chainlysis Oracle sutartis blokuoti OFAC sankcionuotų adresų prieigą prie dapp.
Finansinio privatumo išlaikymas yra būtinas norint išsaugoti mūsų laisvę, tačiau tai neturėtų kainuoti reikalavimų nesilaikymo kaina.https://t.co/tzZe7bVjZt— ?️ Tornado.cash ?️ (@TornadoCash) Balandis 15, 2022
Source: https://cryptoslate.com/defi-protocol-beanstalk-loses-180m-in-exploit-hacker-gains-80m/