A flaw in the operations of Beanstalk Farms, a stablecoin protocol, has allowed an unknown threat actor to siphon $182 million from the network, it has emerged.
A stablecoin is a cryptocurrency token that’s pegged to a regular currency or another stable asset, such as gold. As such, stablecoins have a stable value compared to more volatile cryptocurrencies, such as bitcoin.
Beanstalk Farms is a stablecoin protocol that operates on the Ethereum network, and issues the BEAN governance token, which gives owners voting power for any changes to the network itself.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Describing the incident in a Discord post, the company said the attacker discovered a vulnerability in its governance system, made possible with the help of a flash loan service. There was no malware, stolen passwords, or fake identities used in the attack.
Flash loans are like regular loans, the only difference being that they happen in a flash. These instant loans are made possible with the unique nature of blockchain technology. However, in this particular case, flash loans helped the attacker steal the money from the protocol. The threat actor used the flash loan service Aave to buy a large amount of BEAN.
Now in possession of a large proportion of BEAN, the attacker was able to pass a malicious governance proposal and siphon out all of the protocol’s funds into a private ETH wallet.
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP,” the Discord post reads. “This was the fault that allowed the hacker to exploit Beanstalk.”
A part of the funds ($250,000) was sent to a Ukrainian relief wallet, CoinDesk reported. It is currently unclear whether the company will reimburse the affected customers.
Crypto hacks are becoming more devastating by the day. Earlier this year, hundreds of millions of dollars in cryptocurrency was stolen from the Ronin Network, which provides the "blockchain bridge" that powers NFT game Axie Infinity.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.