Beanstalk, a Decentralised Finance (DeFi) lost about $182 million in crypto assets after being hit by a cyber attack, according to blockchain findings of security firm PeckShield. The research company said the attacker appeared to donate $250,000 of the stolen funds to a Ukrainian relief wallet.
Hackers have targeted DeFis very often, which is yet another warning for those dabbling in this emerging segment of the crypto industry. DeFi companies provide an alternative finance ecosystem where consumers transfer, trade, borrow and lend cryptocurrency, independently of traditional financial institutions and the regulatory structures that have been built around banking.
Beanstalk, issues an Ethereum based stablecoin called the ‘Bean ERC 20’ that users hold—aiming to book profits. Stablecoins are Ethereum based tokens that are designed to stay at a fixed value, even when the price of Ethereum changes. It is commonly believed that stablecoins have good chances of yielding profits for holders.
DeFis have open source protocols, meaning that their source code is free to access. Taking advantage of this, the hackers found a vulnerability in the Beanstalk network and introduced new upgrades. The attack has also been identified as a “flash loan” attack, and cost the company millions worth of Ethereum and Bean cryptocurrencies.
According to Pecksheld, the hackers first took a flash loan on lending platform Aave. Flash loans are essentially uncollateralised crypto loans. Now, the hackers started buying Beanstalk’s native governance token Stalk. Notably, if any user possess the governance token, they are granted power to make a change in the protocol.
The attacker now had the power to make a change in the protocol, and was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet. “Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP. This was the fault that allowed the hacker to exploit Beanstalk,” PeckShield wrote.
In March, Axie Infinity’s Ronin Blockchain was exploited for $625 million in an attack that US officials have linked to North Korea. Ronin is used to power the popular online game Axie Infinity, which uses non-fungible tokens (NFTs) and is the biggest NFT collection by all-time sales volume, according to NFT market tracker CryptoSlam.