A flaw in the operations of Beanstalk Farms, a stablecoin protocol, has allowed an unknown threat actor to siphon $182 million from the network, it has emerged.
A stablecoin is a cryptocurrency token that’s pegged to a regular currency or another stable asset, such as gold. As such, stablecoins have a stable value compared to more volatile cryptocurrencies, such as bitcoin.
Beanstalk Farms is a stablecoin protocol that operates on the Ethereum network, and issues the BEAN governance token, which gives owners voting power for any changes to the network itself.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Describing the incident in a Discord post, the company said the attacker discovered a vulnerability in its governance system, made possible with the help of a flash loan service. There was no malware, stolen passwords (opens in new tab), or fake identities (opens in new tab) used in the attack.
Flash loans are like regular loans, the only difference being that they happen in a flash. These instant loans are made possible with the unique nature of blockchain technology. However, in this particular case, flash loans helped the attacker steal the money from the protocol. The threat actor used the flash loan service Aave to buy a large amount of BEAN.
Now in possession of a large proportion of BEAN, the attacker was able to pass a malicious governance proposal and siphon out all of the protocol’s funds into a private ETH wallet.
> The maker of Axie Infinity just suffered one of the largest heists in crypto history (opens in new tab)
> FBI says North Korean Lazarus group was behind huge crypto theft (opens in new tab)
> 2FA compromise led to Crypto.com hack (opens in new tab)
“Beanstalk did not use a flash loan resistant measure to determine the % of Stalk that had voted in favor of the BIP,” the Discord post reads. “This was the fault that allowed the hacker to exploit Beanstalk.”
A part of the funds ($250,000) was sent to a Ukrainian relief wallet, CoinDesk reported. It is currently unclear whether the company will reimburse the affected customers.
Crypto hacks are becoming more devastating by the day. Earlier this year, hundreds of millions of dollars in cryptocurrency was stolen from the Ronin Network (opens in new tab), which provides the "blockchain bridge" that powers NFT game Axie Infinity.
- If you're looking to prevent data loss, check out our list of the best services here (opens in new tab)
Via CoinDesk (opens in new tab)