Another Ethereum-based Defi Protocol Suffers an Exploit Worth $180 Million
On Sunday, April 17, Beanstalk, a decentralized credit-based stablecoin platform, was compromised, resulting in the loss of $181 million in multiple tokens.
“Today, Beanstalk was exploited. The Beanstalk Farms team is conducting an investigation and will notify the community as soon as feasible.” Following the exploit, Beanstalk posted it on its official Twitter feed.
According to a series of tweets by crypto specialist Igor Igamberdiev, the attacker made off with $76 million from the money after the deftly staged theft. According to analysts, the current assault was not a bridge vulnerability, as was the case with Ronin, but rather a flash loan attack.
According to reports, the attacker flash-loaded 350 million $Dai, 500 million $USDC, 150 million $USDT, 32 million $Bean, and 11.6 million $LUSD 2 from three dexes before transferring the funds to Curve.fi using BEAN for governance voting.
Later on, the exploiter utilized the obtained assets to vote in favor of a BIP18 governance proposal that transferred all monies from the protocol contract to the exploiter. The exploiter then “donated” 250,000 USDC to Ukraine’s crypto contribution fund before repaying the flash loans with another share. He thereafter changed the remaining monies to 24.8k WETH ($76M), with a portion transferred to Tornado cash and the remainder (the amount used to conduct the assault) withdrawn through a Defi bridge-Synapse.
As of this writing, Beanstalk has requested assistance from the DeFi community and chain analytics specialists “in order to assist us in limiting the exploiter’s capacity to withdraw cash through CEXes.” Additionally, they have stated their willingness to deal with the hacker. Tornado Cash, on the other hand, has yet to answer.
Tornado Cash has come under criticism for allegedly assisting investment fraud after a number of assaults against DeFi protocols over the last six months or so. Already, the protocol is under inspection by US authorities after a compromise that resulted in the theft of around $625 million from Ronin, the blockchain network that powers the Axie Infinity play-to-win crypto game.
Tornado Cash retained the services of crypto data research company Chainalysis oracle contract on Friday to prevent OFAC-sanctioned addresses from accessing the system, boosting Defi users‘ security aspirations. While this may help mitigate the prospect of stolen assets being laundered, smart contracts running on the protocol are irreversible, which means that hackers could still use Tornado Cash to withdraw funds anonymously.
Having said that, many remain perplexed as to how a clean mixer with $1.1 billion in ETH deposits and a 95% withdrawal rate through relayers “remains legal” while still ensuring anonymity.