A flaw in the operations of Beanstalk Farms, a stablecoin protocol, allowed an unknown threat actor to siphon $182 million from the network, it has emerged.
A stablecoin is a cryptocurrency token tied to regular currency or another stable asset, such as gold. As such, stablecoins have a stable value compared to more volatile cryptocurrencies, such as bitcoin.
Beanstalk Farms is a stablecoin protocol that runs on the Ethereum network and issues the BEAN governance token, which gives owners voting power for any changes to the network itself.
Describing the incident in a Discord message, the company said the attacker discovered a vulnerability in its governance system, made possible through a flash loan service. No malware, stolen passwords or fake identities were used in the attack.
Flash loans are like regular loans, the only difference being that they happen in a flash. These instant loans are made possible by the unique nature of blockchain technology. However, in this particular case, the flash loans helped the attacker steal the protocol money. The threat actor used the Aave flash loan service to purchase a large amount of BEAN.
Now in possession of a large portion of BEAN, the attacker was able to push through a malicious governance proposal and siphon all protocol funds into a private ETH wallet.
“Beanstalk did not use a flash loan strength metric to determine the % of Stalk that voted for BIP,” the Discord post reads. “It was the fault that allowed the hacker to exploit Beanstalk.”
Part of the funds ($250,000) was sent to a Ukrainian relief wallet, CoinDesk reported. It is currently unclear whether the company will refund affected customers.
Crypto hacks are becoming more and more devastating day by day. Earlier this year, hundreds of millions of dollars in cryptocurrency were stolen from the Ronin network, which provides the “blockchain bridge” that powers the NFT game Axie Infinity.