Beanstalk loses 23 billion yen due to frequent flash loan attacks on DeFi (decentralized finance) platform
Beanstalk , one of the decentralized finance (DeFi) platforms described as 'decentralized' because it doesn't have a central presence like a cryptocurrency exchange, was targeted by attackers for $ 182 million. It is reported that a considerable loss of about 23 billion yen was made in Japanese yen.
Beanstalk Governance Exploit | Beanstalk
DeFi Project Beanstalk Loses $ 182 Million in Flash Loan Attack --Bloomberg
Beanstalk cryptocurrency loses $ 182m of reserves in flash'attack' | Cryptocurrencies | The Guardian
Beanstalk cryptocurrency project robbed after hacker votes to send themself $ 182 million --The Verge
The attacker used one of the characteristic mechanisms of DeFi, a ' flash loan ' that allows you to borrow and repay a loan within one transaction without collateral and interest.
According to Beanstalk, the attacker used a flash loan to transfer about $ 76 million in user assets to the attacker's wallet at around 12:24 Coordinated Universal Time. He said he did.
PeckShield, which handles security and data analysis related to blockchain, estimates that the amount of money that the attacker got is over $ 80 million (about 10.3 billion yen), and the total damage will be even more. News sites such as Bloomberg, The Guardian, and The Verge report a total of $ 182 million.
1 / The @BeanstalkFarms was exploited in a flurry of txs ( https://t.co/PMsdP5dnJG and https://t.co/wyHe3ARZgU ),— PeckShield Inc. (@peckshield) April 17, 2022
leading to the gain of $ 80 + M for the hacker (The protocol loss may be larger), including 24,830 ETH and 36M BEAN.
2 / The hack is made possible due to the flashloan-assisted (immediate) pass of BIP18, which was submitted one day ago ( https://t.co/4TocPkMna0 ). The BIP18 leads to the crafted code execution with the governance privilege to drain the pool fund. pic.twitter.com/qLYk7jhTCG— PeckShield Inc. (@peckshield) April 17, 2022
3 / To illustrate, we use the hack tx and show the key steps below pic.twitter.com/9N71BvQfGb— PeckShield Inc. (@peckshield) April 17, 2022
There have already been multiple reports of attacks that abused the 'flash loan', and in August 2021, the DeFi platform Cream Finance lost 3 billion yen, and in the first half of 2021 alone, a total of 52 billion yen. There has been considerable damage.
A hacker steals 3 billion yen worth of virtual currency from the DeFi platform, the damage amount of the same case is over 52 billion yen --GIGAZINE
It is not clear if this attacker was involved in any of the past attacks. It has been confirmed that the attackers donated $ 50,000 worth of virtual currency (about 32 million yen) to Ukraine.
4 / The initial funds to launch the hack are with drawn from @SynapseProtocol and most of the result gains are cryptocurrency to @TornadoCash . Currently 15,154 ETH still stays in the hacker's account. Note the hacker donates 250k USDC to Ukraine Crypto Donation. Pic.twitter .com / jBjUJ0JbGj— PeckShield Inc. (@peckshield) April 17, 2022