According to security firm Peckshield, a flash loan attack on the credit-based stablecoin protocol Beanstalk resulted in the theft of $182 million in tokens.
A malicious DAO proposal
The attacker took out a $900M flash loan on Aave,a type of uncollateralized lending. They then used these funds to add liquidity to a BEAN + 3pool, a liquidity pool for stablecoins on a decentralized exchange Curve. The attacker then used the funds to accept an improvement proposal (BIP) to drain the protocol’s liquidity, which the attacker was able to pass with its own funds and drain the protocol’s liquidity worth more than $180 million. Interestingly, after the attack, he donated $250k to Ukraine, which was coded into the contract when the attack was carried out.
Even though the attack is still under investigation and the information is not entirely confirmed, the protocol lacked safeguards to prevent this type of DAO proposal. A user should not be able to borrow a large sum of money to approve a proposal quickly. According to one of the founders, Publius, users’ funds are unlikely to be refunded because there is no venture funding, and the attacker is currently attempting to siphon off its funds using Tornado Cash.
What is Beanstalk?
Beanstalk is an Ethereum-based decentralized credit-based stablecoin protocol launched in August 2021. It has its stablecoin, $BEAN, which is uncollateralized. Instead of using collateral, it stated that it relies on a community of lenders to keep Bean pegged by offering incentives to users, lenders, and arbitragers. The protocol had gained popularity due to its high yield. Its stablecoin, $BEAN, currently has a market cap of around $40 million, but it’s unlikely people can withdraw because there is no liquidity.