Hack Track: Analysis of Beanstalk Flash Loan Attack
Merkle Science
On April 17, 2022, Beanstalk Farms, a decentralized credit-focused stablecoin protocol built on Ethereum, suffered an exploit. The attackers exploited Beanstalk’s governance protocol to extract $182 million in collateral, around $80 million of which went to the hacker as profit. Beanstalk enables participants to earn rewards such as Stalk and Seeds by contributing to a central funding pool called the Silo. The participants receive four Seeds for every Bean stablecoin deposited in the Silo, which in turn, earns them 0.004 Stalk every hour. Stalks are ERC-20 standards tokens that bestow governance rights over the protocol to its holders and give holders voting power. Unlike Stalks, Seeds are not liquid and do not give voting rights to their holders.
The attackers took out $1 billion in flash loans from Aave, which enabled them to amass a large number of Stalks through a series of mechanisms detailed below. They used these tokens to acquire over 67% voting power and pass malicious governance proposals, which allowed them to drain the protocol funds into a private Ethereum wallet: 0x1c5dCdd006EA78a7E4783f9e6021C32935a10fb4
A flash loan is a loan that is made and returned within the timeframe it takes to create a new block on the blockchain. It is a loan that doesn’t require the borrower to put down any collateral. The borrower will quickly flip a profit on the amount and return the initial loan before a new block is formed. In a flash loan attack, the scammer will take the loan in order to manipulate the market and/or exploit software vulnerabilities within the code.
Of late, flash loan attacks have become increasingly common. In May 2021, PancakeBunny, a Binance Smart Chain-backed yield farming aggregator suffered an exploit wherein the attackers initially borrowed a large sum of BNB through PancakeSwap pools and used it to manipulate the price of USDT/WBNB and Bunny/BNB liquidity pools in PancakeSwap. Further, in August 2021, the lending market C.R.E.A.M. Finance was also exploited. The attackers had used a reentrancy attack in C.R.E.A.M. Finance’s flash loan feature to steal 462,079,976 AMP tokens and 2,804.96 ETH coins. In October 2021, C.R.E.A.M. Finance suffered another flash loan attack whereby the attackers stole $136 million by exploiting a vulnerability in the platform’s flash loaning mechanism.
Flash loan attacks are gaining popularity in the DeFi sector as they are low-risk, low-cost and high-reward schemes. According to a report by Coinmarketcap, unlike 51% of attacks that need massive resources to pull off, flash loans only require three things: a computer, an internet connection, and ingenuity. Though the hackers need to plan out the attack in advance, the execution merely takes a few seconds to a few minutes. Moreover, DeFi hackers can easily exploit flash loans as they can be used to create artificial arbitrage opportunities. It involves manipulating asset prices in order to take advantage of arbitrage opportunities on DeFi services that would not otherwise have existed. Arbitrage is the practice of quickly buying and selling the same asset in different markets to take advantage of price differences between various markets.
What happened?
According to Merkle Science’s analysis, firstly, the attacker bought $1 billion worth of assets from the Aave protocol denominated in MakerDAO’s DAI, Circle’s USD Coin (USDC), and Tether (USDT) stablecoins. Aave is a decentralized lending system that allows users to lend, borrow, and earn interest on crypto assets, all without middlemen.
Figure1: Attackers take out a flash loan from Aave denominated in DAI, USDC, USDT
The attackers then bought 32 million BEAN tokens from Uniswap V2 worth around $6,382,805. Using the billion-dollar collateral, they also bought LiquityUSD (LUSD) amounting to $11 million from Sushiswap along with the 150 million USDT, 500 million USDC, and 350 million DAI. UniSwap and Sushiswap are decentralized exchanges that facilitate peer-to-peer trading of digital assets.
Figure 2: Attackers flash loaned 32 million Bean from UniSwap
Subsequently, the attacker minted 3CRV tokens by adding liquidity into the DAI/USDC/USDT pool (3pool) on Curve finance. 3CRV tokens are liquidity provider tokens created for the 3Pool, one of Curve Finance’s most popular pools that contain USDC, USDT & DAI. The attackers minted $350,000,000 in DAI, $500,000,000 in USDC and $150,000,000 in USDT from the 3pool. Post this, the attackers converted 15 million 3CRV to 11.6 million LUSD tokens, thus, bringing up his total LUSD holdings to $26 million LUSD. At this point, they have 32 million BEAN tokens, 26 million LUSD, and 964 million 3CRV tokens.
The attackers then add 964 million 3CRV tokens to another contract to mint 795 million BEAN3CRV-f tokens and 32 million BEAN tokens and 265 million LUSD tokens to some other contract to generate 58.9 million BEAN3LUSD-f tokens. As per the postmortem report of Omniscia, Beanstalk’s smart contract auditing firm, the protocol recently introduced BIP-12 and BIP-16 to provide support for the BEAN3CRV-f and BEANLUSD-f LP tokens to ensure that these assets can be deposited to the protocol for earning rewards.
The attackers generated BEAN3CRV-f and BEANLUSD-f LP tokens to acquire Stalks. The more Stalks a user has, the more voting power they can get. The BEAN3CRV-f and BEAN3LUSD-f tokens were converted into Stalks giving attackers more than 67% of the voting power. Only ⅔ of the votes are required to execute an “emergency” governance action.
This voting power was used to execute two proposals, which were issued on April 18, 2022.
- The first proposal — BIP-18 was executed to steal all the money from the protocol
- The next proposal — BIP-19 sent $250k worth of BEAN to the Ukraine donation address.
These proposals contained malicious codes designed to drain Silo’s funds. According to Omniscia, Beanstalk’s governance module contains an ‘emergencyCommit’ function that allowed the attackers to circumvent the usual lifecycle of a proposal and execute BIP-18 as soon as they attained super-majority voting power. Block Sec, Beanstalks’ protocol auditor, said that the attackers waited for a day after the passing of the emergency period to invoke the emergencyCommit.
The attackers then removed all the positions to clear off flash loan debt, leaving them with 24,930.71 ETH worth around $76.2 million at the time of the hack. The ETH was stored in the attacker’s wallet: 0x1c5dCdd006EA78a7E4783f9e6021C32935a10fb4. Using Merkle Science’s investigation tool Tracker we discovered that the attackers, on April 17, 2022, the attacker moved 24,930 ETH out of their wall to Tornado Cash in a series of 270 transactions most of which were of equal size and placed within seconds. They also sent 250,000 USDC to the Ukraine crypto donation wallet.
Next steps
Confirming the attack, Beanstalk Farms tweeted that “we are engaging all efforts to try to move forward. As a decentralized project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes (centralized exchanges). If the exploiter is open to a discussion, we are as well.”
Post the attack, BEAN — which is supposed to be a stablecoin pegged 1:1 to the US dollar — has been down by 78.3% and is trading at $0.21. Publius, the development team for Beanstalk Farms, said on Discord that the incident could lead to the demise of BEAN. “This project has not had any venture backing, so it is highly unlikely there is any sort of bailout coming,” stated the Publius referring to recent DeFi hacks Ronin Network attack, and Wormhole bridge attack, which was bailed out by their investors Sky Mavis and Jump Crypto so that they may return money to their users.
Beanstalk also faced criticism for not taking sufficient accountability for the hack. Some of the Beanstalk community members believe that the team should be taking more responsibility for the attack rather than accepting what happened as an honest mistake and stating that the project must move on. Publius responded saying the project is just an open-source code experiment, not a business, and the team should not be held accountable for what happened. Additionally, Publius admitted that they had not included any provision to mitigate the possibility of a flash loan attack, although presumably, this was not apparent until the situation occurred. The protocol’s smart contracts have been paused and all governance privileges have been revoked by the team.