Understanding how flash loans and governance work in DeFi to demystify the Beanstalk Farms Hack

The only way to understand how the Beanstalk Farms decentralized credit-based stablecoin protocol exploit happened is to first understand flash loans, which are a little known financial tool unique to the DeFi (decentralized finance) space, as well as governance.

A flash loan is, like it sounds, a very fast loan. It happens within a single blockchain transaction and no collateral is needed. Instead, the borrower needs to set up a series of trades using smart contracts that can all be executed at once, and they must yield a profit. If the trade doesn’t yield a profit, the transaction is cancelled and the loan is not approved. On the other hand, if it does yield a profit then a fee is paid to the platform issuing the loan, such as Aave for example, and the remainder is kept by the trader.

If that all sounds too good to be true, it’s because it kind of is. You’ll pay a lot in gas fees, even for failed transactions, and the vast majority of your transactions will probably fail. There are programs to help you organize the trades and find arbitrage opportunities, but it’s still incredibly difficult. Only deeply experienced traders should attempt to use flash loans.

As exciting as they are, flash loans also present unique security risks to DeFi protocols. The $182M exploit of the Beanstalk Farms ecosystem is a perfect example.

How the Attack was Executed

So we know about flash loans, but we also need to briefly discuss governance, particularly in relation to DAOs (decentralized autonomous organizations). With a decentralized project like Beanstalk Farms, a governance protocol is needed to take various actions, such as software updates, changing yield and protocol details, or proposing and voting on solutions to problems that might arise.

What’s important to know about the DAO in this case is that proposals need a supermajority (more than 2/3) in order to pass, and the platform’s BEAN stablecoin can be used to generate Stalk and Seed tokens, which represent voting power – so if a bad actor could take control of >67% of the governance tokens, they would be able to attack the network and pass malicious proposals.

That’s exactly what happened.

A series of fast transactions involving a $1B flash loan from the Aave protocol along with what must have been the longest 24h wait in the attacker’s life allowed them to take control of a massive pile of BEAN, then use them to generate enough Seed and Stalk tokens to give their wallet 70% of the supply, and then transfer all the funds from Beanstalk’s wallet to their own, ultimately making off with around $76M worth of stolen cryptocurrency, but leaving Beanstalk Farms out $182M in liquidity.

Cybersecurity firm DeFiSafety released a post-mortem with all the technical details.

Timeline of the Beanstalk Farms Hack

April 16, 2022:

At 08:38 UTC, this address (referred to as the ‘Beanstalk Flashloan Exploiter’ address) swaps 73 ETH for 212,858 BEAN. Nothing suspicious here, but now that we know to look we can see that the wallet was initially funded through the crypto mixer Tornado Cash.

Nine minutes later, at 08:47 UTC, this transaction shows the same address depositing the 212K BEAN into the Beanstalk ‘Silo’, which is the mechanism used for generating Seed and Stalk governance tokens. With this deposit, a proportionate amount of governance tokens were generated to allow the address to make a governance proposal.

At 10:54 UTC, the attacker made the first of two proposals. Notably, the first proposal was seemingly blank while the second proposal was a $250,000 donation to Ukrainian crypto exchange KUNA, which was passed but promptly returned with a message from the exchange’s founder. The first proposal contained hidden code which connected it to a malicious smart contract that, if passed, would drain the Beanstalk liquidity into the attacker’s wallet.

However, proposals require a 7-day period before they execute (if they obtain a supermajority vote), but there’s a backdoor called the emergencyCommit() function, which allows a proposal to pass in just 24 hours. All that’s needed is >67% of governance tokens to execute emergencyCommit().

April 17, 2022:

At 12:24 UTC, more than 24 hours after the two proposals were made in the Beanstalk DAO, the attacker initiates the $1B flash loan which includes 350M DAI, 500M USDC, and 150M USDT.

A flurry of swaps occur within the single transaction which allow the attacker to borrow over 32M BEAN and several million more in various Beanstalk whitelisted stablecoins. All this led to the generation of a 70% supply of the governance tokens, which allowed the attacker to execute emergencyCommit() on their two proposals.

As mentioned above, the first proposal passing actually transferred all of Beanstalk’s liquidity to the attacker’s wallet. With the stolen funds, the attacker paid off the flash loan and walked away with around $76M worth of stolen ETH, while Beanstalk Farms had lost $182M.

BeanStalk Farms releases the first public statement confirming the attack at 17:36 UTC via tweet. They also paused the protocol using ownership privileges right before making the announcement. An update in Discord shortly after confirmed the Beanstalk team had contacted the FBI.

April 18, 2022:

The primary Beanstalk dev, who went by Publius, revealed to the community in a Discord announcement they were actually 3 people and publicly doxxed themselves to help reassure users they were not involved in the attack.

The attacker sent the funds through Tornado Cash and they have still not been recovered as of October, 2022.

Website | Other articles

For over 30 years, Marin Ivezic has been protecting financial services and critical infrastructure against cyber, financial crime, and regulatory risks. He previously held multiple interim CISO, CRO and technology leadership roles in Global 2000 companies. Since 2013 he has been advising institutions and regulators around the world on safe, secure and compliant adoption of crypto assets and other decentralized technologies.