On the 17th of April, Beanstalk Farms suffered a major hack, leaving it with a loss running into millions of dollars.
Beanstalk farms was drained of nearly 182 million dollars, by an attacker using a flash loan.
The anonymity of crypto is a double-edged sword. It can grant people the privacy they seek and also grant criminals a suitable cloak to carry out their evil activities.
Large sums of money are usually lost when a hacker attacks a financial institution or entity. Sometimes, web3/crypto projects are victims of hacks too. The latest web3 protocol to experience a major financial attack is, unfortunately, Beanstalk Farms.
How much did Beanstalk Farms lose?
The protocol lost about 182 million dollars in the attack. Here’s the breakdown of the loss:
- 36M BEAN ($36M)
- $33M in ETH and an additional $32M in BEAN)
- $79.2M from Curve’s liquidity pool
- $1.6M from Curve’s liquidity pool again, this time, from the BEAN-LUSD pair.
But, it is said that the hacker did not profit from the whole multi-million deal. In fact, the researcher says the hacker carted away less than half of the spoils: about 76 million dollars.
How was the attack carried out?
While it is true that the attacker used a flash loan, there were other things involved too. Firstly, the attacker created a faux proposal, posing as someone genuinely interested in donating $250,000 to the crisis in Ukraine.
With this proposal, the hacker then moved to get flash loans from other protocols like Aave, Uniswap, and SushiSwap. These tokens were used to add liquidity to Curve pools with BEAN for the governance voting.
Now, since BEAN is also a governance token, the hacker gave it out to the community. Once the community voted in favor of the fake proposal, its funds were hurriedly moved out. All flash loans were paid and the resulting money turned to WETH.
What Beanstalk Farms is saying
The credit protocol has since confirmed the attack and has constantly updated the public via Twitter on the way forward. A few hours ago, Beanstalk made an offer in this tweet. Whoever is behind the malicious attack gets to keep 10% of the total money as “Whitehat bounty”, if 90% of the finds are returned to an address pasted in the tweet.
So far, there are no new updates concerning the situation. As to whether the hacker will actually return the funds or not, only time will tell.
Flash loans, which allow one to borrow and repay the money quickly without collateral, have always been used as a vehicle for carting away millions of dollars from crypto protocols.
For example, in 2021, BurgerSwap experienced a $7.2 million flash loan attack. A few months later, Cream Finance lost about $136 million in a second flash loan attack. Both crypto protocols and their investors have to be more careful about what they do in their communities, and how they do it.