An attacker has drained US$182 million from Beanstalk stablecoin protocol in a flash loan attack, the second nine-figure DeFi exploit in just a month. Beanstalk joins a growing list of Ethereum DeFi protocols to suffer multimillion-dollar breaches:
The attack on Beanstalk, a credit-based stablecoin built on Ethereum, mirrors an incident last year where PancakeBunny’s DeFi protocol suffered a US$45 million loss from the ecosystem. In the Beanstalk case, an attacker used a flash loan exploit to drain the protocol’s funds and Etherscan data shows Aave’s flash loan feature was leveraged to withdraw liquidity from the protocol. The hacker then used Uniswap to trade DAI, USDC and USDT for Ethereum.
The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack and the token was down 86 percent at the time of writing.
Native Tokens Used to Drain Funds
Beanstalk has since reported that the flash loan on Aave enabled the attacker to amass a large amount of Beanstalk’s native governance token, Stalk. Through the voting powers granted by the tokens, the attacker was then able to pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet:
Some Stolen Funds Diverted to a Ukrainian Relief Wallet
Beanstalk’s smart contracts were audited, but the audit was completed before the introduction of the flash loan vulnerability. No information has yet been forthcoming on whether funds would be reimbursed to users. According to PeckShield, the attacker appears to have donated US$250,000 of the stolen funds to a Ukrainian relief wallet.
Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.